Edit tour

Windows Analysis Report
740d3a.msi

Overview

General Information

Sample name:	740d3a.msi
Analysis ID:	1559267
MD5:	64a6cf00b80fe77c16f6da137dd7a9d1
SHA1:	f9365c7876ac8934a48237499cf8774fe78ea196
SHA256:	630acefe136ea2e4bb95211a214e4829d8cb59d4d948b09221e61acd278854bf
Tags:	167-114-47-186asyncratewfiles-netmsisigneduser-JAMESWT_MHT
Infos:

Detection

PureCrypter

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Creates autostart registry keys with suspicious names

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal Bitcoin Wallet information

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Script Run in AppData

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 1096 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6232 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5960 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BF03D9DA9F637DCB977237F6A9B3752B MD5: 9D09DC1EDA745A5F87553048E57620CF)

aipackagechainer.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe" MD5: 2C0130F614EA8C240320EC47D0008EEA)

Vista Software.exe (PID: 1056 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" MD5: 35135E7F357C522D07DDD87307C0345C)

Vista Software.tmp (PID: 2304 cmdline: "C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp" /SL5="$303F2,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" MD5: 584586C0CF548DB94F76F124046D58D9)

Vista Software.exe (PID: 4836 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT MD5: 35135E7F357C522D07DDD87307C0345C)

Vista Software.tmp (PID: 672 cmdline: "C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp" /SL5="$403EC,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT MD5: 584586C0CF548DB94F76F124046D58D9)

cmd.exe (PID: 592 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2716 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 1524 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6708 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2800 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2432 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1056 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6416 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1524 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5820 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5760 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3648 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5048 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 4396 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4328 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5716 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

file.exe (PID: 5440 cmdline: "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)

cmd.exe (PID: 2864 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\doW4t2.a3x && del C:\ProgramData\\doW4t2.a3x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6704 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

file.exe (PID: 5988 cmdline: file.exe C:\ProgramData\\doW4t2.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 5896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5648 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 504 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

powershell.exe (PID: 6040 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6640 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6440 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AutoIt3.exe (PID: 4872 cmdline: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 3756 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

AutoIt3.exe (PID: 1428 cmdline: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 5392 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000030.00000002.3268979112.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5988	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MSBuild.exe PID: 5896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 4052, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 6040, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\clithe\file.exe, ProcessId: 5988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eeacadf

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 4052, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 6040, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 4052, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 6040, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:17:34.367937+0100	2035595	1	Domain Observed Used for C2 Detected	167.114.47.186	56001	192.168.2.6	49984	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: 740d3a.msi

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\reclosable_is1

Jump to behavior

Source: unknown

HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49713 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000004.00000000.2154424949.0000000000627000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2288037024.00000000075EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: file.exe, 0000002D.00000003.2963313969.0000000004088000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2963179811.00000000041AB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2967026741.0000000004224000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, 0000002D.00000003.2963313969.0000000004088000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2963179811.00000000041AB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2967026741.0000000004224000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: <Module>PSEventHandlerRefEmit_InMemoryManifestModulePSGenericEventModulen.pdb\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=571345ComSpec=C:\32K source: powershell.exe, 0000000B.00000002.2288037024.000000000761B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPbnXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2288617216.00000000071A9000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Local\clithe\file.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005B4320 FindFirstFileW,FindClose,FindClose,	4_2_005B4320
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A6BA0 FindFirstFileW,GetLastError,FindClose,	4_2_005A6BA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0059B5A0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	4_2_0059B5A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0059DD10 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	4_2_0059DD10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005CAC60 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_005CAC60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0060CCF0 FindFirstFileExW,	4_2_0060CCF0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C0E10 FindFirstFileW,FindClose,	4_2_005C0E10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C9440 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_005C9440
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C9880 FindFirstFileW,FindClose,	4_2_005C9880
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00581950 FindFirstFileW,FindNextFileW,FindClose,	4_2_00581950
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A3B60 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	4_2_005A3B60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A7DF0 FindFirstFileW,FindClose,	4_2_005A7DF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0030C0D2 FindFirstFileExW,	45_2_0030C0D2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	45_2_0033E180
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	45_2_0034A187
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	45_2_0034A2E4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	45_2_0034A66E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034686D FindFirstFileW,FindNextFileW,FindClose,	45_2_0034686D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033E9BA GetFileAttributesW,FindFirstFileW,FindClose,	45_2_0033E9BA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_003474F0 FindFirstFileW,FindClose,	45_2_003474F0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00347591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	45_2_00347591
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	45_2_0033DE32
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7E5A5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	45_2_00E7E5A5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7E6AD FindFirstFileA,GetLastError,	45_2_00E7E6AD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7BED5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	45_2_00E7BED5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D8C0D2 FindFirstFileExW,	47_2_00D8C0D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	47_2_00DBE180
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	47_2_00DCA187
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	47_2_00DCA2E4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	47_2_00DCA66E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC686D FindFirstFileW,FindNextFileW,FindClose,	47_2_00DC686D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBE9BA GetFileAttributesW,FindFirstFileW,FindClose,	47_2_00DBE9BA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC74F0 FindFirstFileW,FindClose,	47_2_00DC74F0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	47_2_00DC7591
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	47_2_00DBDE32
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019BFEFD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	47_2_019BFEFD
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019C0005 FindFirstFileA,GetLastError,	47_2_019C0005
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019BD82D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	47_2_019BD82D

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005C80E0 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

4_2_005C80E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 167.114.47.186:56001 -> 192.168.2.6:49984

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.6:49984 -> 167.114.47.186:56001

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0034D935 InternetReadFile,SetEvent,GetLastError,SetEvent,

45_2_0034D935

Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: MSBuild.exe, 0000002E.00000002.3381212760.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 0000002E.00000002.3381212760.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000008.00000002.2247946185.00000000030E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabM
Source: powershell.exe, 00000008.00000002.2247946185.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enq
Source: powershell.exe, 00000008.00000002.2297404851.0000000005F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2277059050.0000000005ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2255750077.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2247764460.0000000004E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2250253596.0000000004F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000002E.00000002.3385347681.0000000003070000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000027.00000000.2268475312.00000000003A5000.00000002.00000001.01000000.0000000B.sdmp, file.exe, 0000002D.00000000.2921494238.00000000003A5000.00000002.00000001.01000000.0000000B.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000000.3052534350.0000000000E25000.00000002.00000001.01000000.0000000D.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000008.00000002.2255750077.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2247764460.0000000004E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2250253596.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: Vista Software.exe, 00000005.00000000.2160371198.0000000000A21000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000008.00000002.2297404851.0000000005F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2277059050.0000000005ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Vista Software.exe, 00000005.00000003.2167669347.000000007F84B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000005.00000003.2164502504.000000000315F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 00000006.00000000.2170071258.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Vista Software.tmp, 0000000A.00000000.2193818046.000000000097D000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Vista Software.exe, 00000005.00000003.2167669347.000000007F84B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000005.00000003.2164502504.000000000315F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 00000006.00000000.2170071258.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Vista Software.tmp, 0000000A.00000000.2193818046.000000000097D000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920

Source: unknown

HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0034F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

45_2_0034F664

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		45_2_0034F8D3
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCF8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		47_2_00DCF8D3

Source: C:\Users\user\AppData\Local\clithe\file.exe

45_2_0034F664

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0033AA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

45_2_0033AA95

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00369FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		45_2_00369FB4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DE9FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		47_2_00DE9FB4

Source: Yara match

File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_00E902A1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

45_2_00E902A1

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E93729 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	45_2_00E93729
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E92905 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	45_2_00E92905
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D5081 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	47_2_019D5081

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0033E3CB: CreateFileW,DeviceIoControl,CloseHandle,

45_2_0033E3CB

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0033230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

45_2_0033230F

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058C3A0 GetForegroundWindow,MessageBoxW,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,ExitWindowsEx,CloseHandle,	4_2_0058C3A0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	45_2_0033F76E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBF76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	47_2_00DBF76E

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3fe04b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE24F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE4A1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE696.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE6E6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE735.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE774.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE802.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3fe04e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3fe04e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE90C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE9D9.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE24F.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058AB00	4_2_0058AB00
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005BFF10	4_2_005BFF10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005FA0D0	4_2_005FA0D0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EE090	4_2_005EE090
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005E8100	4_2_005E8100
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005815F0	4_2_005815F0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EA410	4_2_005EA410
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EE490	4_2_005EE490
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EA4B0	4_2_005EA4B0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058E540	4_2_0058E540
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005B2540	4_2_005B2540
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EC5C0	4_2_005EC5C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EE640	4_2_005EE640
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EC6E0	4_2_005EC6E0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058E870	4_2_0058E870
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00592940	4_2_00592940
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005E4A50	4_2_005E4A50
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058EAA0	4_2_0058EAA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00610D6D	4_2_00610D6D
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00608E60	4_2_00608E60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F4E00	4_2_005F4E00
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005D9050	4_2_005D9050
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_006091C0	4_2_006091C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005E3190	4_2_005E3190
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005AF270	4_2_005AF270
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EF400	4_2_005EF400
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005DD6F0	4_2_005DD6F0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00585930	4_2_00585930
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005EDA30	4_2_005EDA30
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005FDACC	4_2_005FDACC
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005D7CA0	4_2_005D7CA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005DFD20	4_2_005DFD20
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005ADDB0	4_2_005ADDB0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005ADEC0	4_2_005ADEC0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005FDF0B	4_2_005FDF0B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030A1265	11_2_030A1265
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002D7070	45_2_002D7070
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002E3AD9	45_2_002E3AD9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0030E32F	45_2_0030E32F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F24CA	45_2_002F24CA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00306599	45_2_00306599
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0035C844	45_2_0035C844
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F29E3	45_2_002F29E3
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002FC9C0	45_2_002FC9C0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002ECBF0	45_2_002ECBF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00306C09	45_2_00306C09
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00342D81	45_2_00342D81
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002DCE20	45_2_002DCE20
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002DEE00	45_2_002DEE00
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F2F23	45_2_002F2F23
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002EF0DA	45_2_002EF0DA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00339168	45_2_00339168
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0036525A	45_2_0036525A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002ED37F	45_2_002ED37F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F7746	45_2_002F7746
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002E58B8	45_2_002E58B8
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F1964	45_2_002F1964
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F7975	45_2_002F7975
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F7BD2	45_2_002F7BD2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002DDC70	45_2_002DDC70
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00309D1E	45_2_00309D1E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002D5D71	45_2_002D5D71
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F1FC1	45_2_002F1FC1
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E93081	45_2_00E93081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252040	46_2_01252040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_012523EC	46_2_012523EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252425	46_2_01252425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252408	46_2_01252408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252478	46_2_01252478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252440	46_2_01252440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_0125245F	46_2_0125245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01252491	46_2_01252491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01254AE8	46_2_01254AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01254AF8	46_2_01254AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01251DA8	46_2_01251DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_01251DB8	46_2_01251DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F85730	46_2_05F85730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F82D45	46_2_05F82D45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F85739	46_2_05F85739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F851E7	46_2_05F851E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F851DE	46_2_05F851DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F85805	46_2_05F85805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F852DD	46_2_05F852DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F83420	46_2_05F83420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 46_2_05F83410	46_2_05F83410
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D57070	47_2_00D57070
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D63AD9	47_2_00D63AD9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D8E32F	47_2_00D8E32F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D724CA	47_2_00D724CA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D86599	47_2_00D86599
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DDC844	47_2_00DDC844
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D7C9C0	47_2_00D7C9C0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D729E3	47_2_00D729E3
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D6CBF0	47_2_00D6CBF0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D86C09	47_2_00D86C09
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC2D81	47_2_00DC2D81
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D5EE00	47_2_00D5EE00
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D5CE20	47_2_00D5CE20
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D72F23	47_2_00D72F23
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D6F0DA	47_2_00D6F0DA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DB9168	47_2_00DB9168
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DE525A	47_2_00DE525A
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D6D37F	47_2_00D6D37F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D77746	47_2_00D77746
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D77975	47_2_00D77975
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D71964	47_2_00D71964
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D77BD2	47_2_00D77BD2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D5DC70	47_2_00D5DC70
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D89D1E	47_2_00D89D1E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D71FC1	47_2_00D71FC1
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D9	47_2_019D49D9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D2	47_2_019D49D2

Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 00D5FA3B appears 33 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 00D7488E appears 33 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 00D7014F appears 40 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 00D71000 appears 41 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 005839B0 appears 49 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 00585680 appears 66 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 005F5540 appears 55 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 00585350 appears 67 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 002F014F appears 40 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 002F1000 appears 41 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 002F488E appears 33 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 002DFA3B appears 33 times

Source: Vista Software.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Vista Software.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3O9ML.tmp.10.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Vista Software.tmp.5.dr	Static PE information: Number of sections : 11 > 10
Source: Vista Software.tmp.7.dr	Static PE information: Number of sections : 11 > 10
Source: Vista Software.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-3O9ML.tmp.10.dr	Static PE information: Number of sections : 11 > 10

Source: 45.2.file.exe.3ad2f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 45.2.file.exe.3ad2f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 45.2.file.exe.3ad2f24.1.raw.unpack, IdentifierAuthenticationMapper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 47.2.AutoIt3.exe.4182f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 47.2.AutoIt3.exe.4182f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 47.2.AutoIt3.exe.4182f24.1.raw.unpack, IdentifierAuthenticationMapper.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@82/60@0/2

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005A9710 FormatMessageW,GetLastError,

4_2_005A9710

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_003321C9 AdjustTokenPrivileges,CloseHandle,	45_2_003321C9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_003327D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	45_2_003327D9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DB21C9 AdjustTokenPrivileges,CloseHandle,	47_2_00DB21C9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DB27D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	47_2_00DB27D9

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005CA8A0 GetDiskFreeSpaceExW,

4_2_005CA8A0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0033E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,

45_2_0033E2AB

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005D4B00 CoCreateInstance,

4_2_005D4B00

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005A2720 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

4_2_005A2720

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLE83A.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\8f1bd2930e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF3E2DFAA254D6C083.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\clithe\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\dbgbkfc\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\dbgbkfc\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

File read: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 740d3a.msi

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF03D9DA9F637DCB977237F6A9B3752B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp" /SL5="$303F2,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp" /SL5="$403EC,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Local\clithe\file.exe "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\doW4t2.a3x && del C:\ProgramData\\doW4t2.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\doW4t2.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\dbgbkfc\AutoIt3.exe "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\dbgbkfc\AutoIt3.exe "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF03D9DA9F637DCB977237F6A9B3752B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp" /SL5="$303F2,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp" /SL5="$403EC,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Local\clithe\file.exe "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\doW4t2.a3x && del C:\ProgramData\\doW4t2.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\doW4t2.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: version.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\dbgbkfc\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\reclosable_is1

Jump to behavior

Source: 740d3a.msi

Static file information: File size 6722560 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000004.00000000.2154424949.0000000000627000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2288037024.00000000075EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: file.exe, 0000002D.00000003.2963313969.0000000004088000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2963179811.00000000041AB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2967026741.0000000004224000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, 0000002D.00000003.2963313969.0000000004088000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2963179811.00000000041AB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2967026741.0000000004224000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: <Module>PSEventHandlerRefEmit_InMemoryManifestModulePSGenericEventModulen.pdb\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=571345ComSpec=C:\32K source: powershell.exe, 0000000B.00000002.2288037024.000000000761B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPbnXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2288617216.00000000071A9000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 45.2.file.exe.3ad2f24.1.raw.unpack, TokenValListener.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 47.2.AutoIt3.exe.4182f24.1.raw.unpack, TokenValListener.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005A98C0 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

4_2_005A98C0

Source: Vista Software.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0x37b358
Source: Vista Software.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0x37b358
Source: Vista Software.exe.3.dr	Static PE information: real checksum: 0x85f640a should be: 0x33372a
Source: is-3O9ML.tmp.10.dr	Static PE information: real checksum: 0x0 should be: 0x3817ca
Source: aipackagechainer.exe.3.dr	Static PE information: real checksum: 0xe3b49 should be: 0xe4c7b

Source: MSIE90C.tmp.2.dr	Static PE information: section name: .didat
Source: MSIE90C.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE24F.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE4A1.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE696.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE6E6.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE735.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIE774.tmp.2.dr	Static PE information: section name: .didat
Source: MSIE774.tmp.2.dr	Static PE information: section name: .fptable
Source: Vista Software.exe.3.dr	Static PE information: section name: .didata
Source: aipackagechainer.exe.3.dr	Static PE information: section name: .didat
Source: aipackagechainer.exe.3.dr	Static PE information: section name: .fptable
Source: Vista Software.tmp.5.dr	Static PE information: section name: .didata
Source: Vista Software.tmp.7.dr	Static PE information: section name: .didata
Source: is-3O9ML.tmp.10.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F1054 push edi; ret	4_2_005F105F
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F512D push ecx; ret	4_2_005F5140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04A637F5 pushad ; ret	8_2_04A637F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04A637FA pushfd ; ret	8_2_04A63809
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F1046 push ecx; ret	45_2_002F1059
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E940C9 push 00E940FDh; ret	45_2_00E940F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E940D1 push 00E940FDh; ret	45_2_00E940F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E900B9 push 00E90136h; ret	45_2_00E9012E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E900B7 push 00E90136h; ret	45_2_00E9012E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E94076 push 00E940FDh; ret	45_2_00E940F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E93049 push 00E93075h; ret	45_2_00E9306D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F045 push 00E8F071h; ret	45_2_00E8F069
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E9105D push 00E91089h; ret	45_2_00E91081
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E91023 push 00E91051h; ret	45_2_00E91049
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E91025 push 00E91051h; ret	45_2_00E91049
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F1D1 push 00E8F1FDh; ret	45_2_00E8F1F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F199 push 00E8F1C5h; ret	45_2_00E8F1BD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F161 push 00E8F18Dh; ret	45_2_00E8F185
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E94144 push ebp; iretd	45_2_00E9415E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E94109 push 00E9412Fh; ret	45_2_00E94127
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F2D1 push 00E8F2FDh; ret	45_2_00E8F2F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F2B1 push 00E8F2FDh; ret	45_2_00E8F2F5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7D265 push 00E7D291h; ret	45_2_00E7D289
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F279 push 00E8F2A5h; ret	45_2_00E8F29D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E92241 push 00E9226Dh; ret	45_2_00E92265
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F241 push 00E8F26Dh; ret	45_2_00E8F265
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8F209 push 00E8F235h; ret	45_2_00E8F22D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E913C9 push 00E913F5h; ret	45_2_00E913ED
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E92489 push 00E924D5h; ret	45_2_00E924CD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8E495 push 00E8E4C1h; ret	45_2_00E8E4B9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E83439 push 00E835B5h; ret	45_2_00E835AD

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE735.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\is-AA44E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE24F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\clithe\file.exe	File created: C:\dbgbkfc\AutoIt3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\file.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\Temp\is-B174P.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\is-3O9ML.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	File created: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE6E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	File created: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE774.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE696.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE4A1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SB6EB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE90C.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE735.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE24F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE6E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE774.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE696.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE4A1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE90C.tmp	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\clithe\file.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf

Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00362558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	45_2_00362558
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002E5D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	45_2_002E5D03
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DE2558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	47_2_00DE2558
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D65D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	47_2_00D65D03

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\dbgbkfc\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\dbgbkfc\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4B90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1590000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 52B0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899872	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899722	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899480	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899372	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899125	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898640	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899205
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6333	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1687	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2431	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 514	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6630

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE735.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE24F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B174P.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clithe\is-3O9ML.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE6E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE774.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE696.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE4A1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SB6EB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE90C.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_4-56993

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-56919

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\clithe\file.exe	API coverage: 5.5 %
Source: C:\dbgbkfc\AutoIt3.exe	API coverage: 5.5 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5712	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4024	Thread sleep count: 2431 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep count: 514 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899872s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899722s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899480s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899372s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -899125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep time: -898640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep count: 2074 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep count: 109 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -899888s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -899751s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -899205s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -898988s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -898873s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7020	Thread sleep count: 35 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7020	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3924	Thread sleep count: 3156 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3924	Thread sleep count: 6630 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005B4320 FindFirstFileW,FindClose,FindClose,	4_2_005B4320
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A6BA0 FindFirstFileW,GetLastError,FindClose,	4_2_005A6BA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0059B5A0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	4_2_0059B5A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0059DD10 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	4_2_0059DD10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005CAC60 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_005CAC60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0060CCF0 FindFirstFileExW,	4_2_0060CCF0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C0E10 FindFirstFileW,FindClose,	4_2_005C0E10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C9440 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_005C9440
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005C9880 FindFirstFileW,FindClose,	4_2_005C9880
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_00581950 FindFirstFileW,FindNextFileW,FindClose,	4_2_00581950
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A3B60 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	4_2_005A3B60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005A7DF0 FindFirstFileW,FindClose,	4_2_005A7DF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0030C0D2 FindFirstFileExW,	45_2_0030C0D2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	45_2_0033E180
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	45_2_0034A187
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	45_2_0034A2E4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	45_2_0034A66E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0034686D FindFirstFileW,FindNextFileW,FindClose,	45_2_0034686D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033E9BA GetFileAttributesW,FindFirstFileW,FindClose,	45_2_0033E9BA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_003474F0 FindFirstFileW,FindClose,	45_2_003474F0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00347591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	45_2_00347591
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_0033DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	45_2_0033DE32
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7E5A5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	45_2_00E7E5A5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7E6AD FindFirstFileA,GetLastError,	45_2_00E7E6AD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E7BED5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	45_2_00E7BED5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D8C0D2 FindFirstFileExW,	47_2_00D8C0D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	47_2_00DBE180
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	47_2_00DCA187
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	47_2_00DCA2E4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DCA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	47_2_00DCA66E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC686D FindFirstFileW,FindNextFileW,FindClose,	47_2_00DC686D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBE9BA GetFileAttributesW,FindFirstFileW,FindClose,	47_2_00DBE9BA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC74F0 FindFirstFileW,FindClose,	47_2_00DC74F0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DC7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	47_2_00DC7591
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DBDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	47_2_00DBDE32
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019BFEFD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	47_2_019BFEFD
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019C0005 FindFirstFileA,GetLastError,	47_2_019C0005
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019BD82D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	47_2_019BD82D

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005C80E0 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

4_2_005C80E0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005F16FD VirtualQuery,GetSystemInfo,

4_2_005F16FD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899872	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899722	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899480	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899372	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899125	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898640	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899205
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: AutoIt3.exe, 0000002F.00000002.3106151055.0000000001858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: file.exe, file.exe, 0000002D.00000002.2964646005.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2960071049.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2964996138.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2964646005.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2960071049.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2964646005.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 0000002F.00000002.3107008696.00000000019B6000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3106151055.00000000018B5000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3106151055.0000000001828000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3106151055.0000000001858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: MSBuild.exe, 0000002E.00000002.3400764560.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: MSBuild.exe, 0000002E.00000002.3400764560.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBp
Source: MSBuild.exe, 0000002E.00000002.3400764560.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_00E8D397 LdrInitializeThunk,

45_2_00E8D397

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0034F607 BlockInput,

45_2_0034F607

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005F5342 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_005F5342

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005AAAA0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

4_2_005AAAA0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005A98C0 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

4_2_005A98C0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F1EBE mov esi, dword ptr fs:[00000030h]	4_2_005F1EBE
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F4BF4 mov eax, dword ptr fs:[00000030h]	45_2_002F4BF4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E9EFEE mov eax, dword ptr fs:[00000030h]	45_2_00E9EFEE
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E93081 mov eax, dword ptr fs:[00000030h]	45_2_00E93081
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E93081 mov eax, dword ptr fs:[00000030h]	45_2_00E93081
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00E8D195 mov eax, dword ptr fs:[00000030h]	45_2_00E8D195
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D74BF4 mov eax, dword ptr fs:[00000030h]	47_2_00D74BF4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D9 mov eax, dword ptr fs:[00000030h]	47_2_019D49D9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D9 mov eax, dword ptr fs:[00000030h]	47_2_019D49D9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D2 mov eax, dword ptr fs:[00000030h]	47_2_019D49D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019D49D2 mov eax, dword ptr fs:[00000030h]	47_2_019D49D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019CEAED mov eax, dword ptr fs:[00000030h]	47_2_019CEAED
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_019E0946 mov eax, dword ptr fs:[00000030h]	47_2_019E0946

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005F1F2A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

4_2_005F1F2A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F4433 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_005F4433
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_0058CEA0 __set_se_translator,SetUnhandledExceptionFilter,	4_2_0058CEA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F5342 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_005F5342
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F54CF SetUnhandledExceptionFilter,	4_2_005F54CF
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 4_2_005F96A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_005F96A3
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00302446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00302446
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F0E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_002F0E4D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F0F9F SetUnhandledExceptionFilter,	45_2_002F0F9F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_002F11EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_002F11EE
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D82446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_00D82446
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D70E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_00D70E4D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D70F9F SetUnhandledExceptionFilter,	47_2_00D70F9F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00D711EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	47_2_00D711EE

Source: C:\Users\user\AppData\Local\clithe\file.exe

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 167.114.47.186lendfii.linkminervini.reminervini.dayostium.cxostium.gscapslue12.compixerealms.comMIIE6jCCAtKgAwIBAgIQAKzYScXbG6jnhNpDCIQEmTANBgkqhkiG9w0BAQ0FADAWMRQwEgYDVQQDDAtKbGRoa3JtdWVpYTAgFw0yNDA5MjIxMzQ0MDJaGA85OTk5MTIzMTIzNTk1OVowFjEUMBIGA1UEAwwLSmxkaGtybXVlaWEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCKY5fFBNugUG3lAzgicuuTasI6csRdvrJoH6Uu8rG7yBClbNK7fDlf2bgkBJFg35T0Hya8osjRxMvXruy6DC4S3g6k056xkVQqRgWBWbHmqbuCCX/URxo2n+y+yYLycJH1U+n7KuwDY85Jg0bh42vlqr8kPocz65jxUrnzoTsj0R9atDt7OXewIZfY68BV/GPtJ+pmj2jboqhWutfXWVQb/94YFbY3M8cn7Dc565O1b7j+5Z/DcEAMpV4zaQRbd3uOCv7N+h4CHcAGFyS2cu2RWzRr5Utgx5kajDClA/8aWBjYkTweK/07smzqFslp7+RsXTglISuqJoqWqHAJaVuxUqe5o+h8uo3zXxMH8w8OhPoXDs24OH41/WKJ5nk7o+jb5o/8+NJ0K1qJ6IcEaD9Dke1a2PI0AWSyaFkMfLEtPYJYwq7JKDa2TZpvlv72EqXdu6HglZgveKoSTfYbtCACVG0V+BJ1MwJkxgovgfuGuIYkLEI7G9BlpC7/PjFw+6i3yaNmcw0aClV6gzDG3HBBQBNUwYHj3yy/iiYCCF9e5VbodPVSbmew9RCzoD1pzOa/sjFP7BlM4ZZjUCz09m0fHaIH9GLnwV0kXOFVERV24squxrB9rQEr97o7zVCNaZtcbYC3tlCTloo7WluSk24ZjnFw0jHJ3/Z/ErohoxanpQIDAQABozIwMDAdBgNVHQ4EFgQUda69pBHgum+7H0tBimw6JXQNS10wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAKs321C35K0R4WisTRxPXWFNzAQbn39DO2TjyBt3sMUFJYTqMIH9Hbc92hQh5A55sRyKbKJfo/yj6QwQXElez8Gk1+F3ulvqkprJzsbDrtvJR/sQi2nMCpwen1sxDn9Y+meZHZ9hbolOcl/8GaPt/drorjPIJ5mWt0k2wyLBCg/IfT13YPeRzwEEGL7aoHPe6MhxGWRj0JSaxRYtVZidIv9VLm3XsrpPaj5F3RugRSaYNi1UfQvPO+kj16W0DzGQRb7J1PqBSfBZTYE0o5vfRNG8nrv9SYp0GAredYEJgiqBx4LfKOF1DfxsivkAsSD6C0O1B4IrxeIjRgzJ39gCqKqFseXveWl3kh4Ps2OqlcdnuEIslaut+d8RT8n8pqhaN73JJBe/5E42T9+4zUJnnSZ1CZq4utW49qzzPLT0ajGzgush0t5YOrNxcLGh8ymqbja6cCaLQzLlWSETSYUPqkdk1Q8ddGGrimwjYYWFm9yPRqvS6QlDU1onytPLPRbpdof5XZGuYFB+kvhZFxA/6Sx5032G2Qq9kMzVkRRbyk71tqlNtjXd30AQdCIVlfFVlF4UNSyw3tLw+1yZXphM/x6xmOd6DeCnvP366wAPw9Vs9dhjoAov51TgN28KVW+IjrEySytgN3DOOvRHuPbufIolC49jUADbTfMxxGbK8RmE="Default

Source: C:\Users\user\AppData\Local\clithe\file.exe

45_2_0033230F

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005CE3A0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,

4_2_005CE3A0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0033C078 SendInput,keybd_event,

45_2_0033C078

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_00352E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

45_2_00352E89

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\doW4t2.a3x && del C:\ProgramData\\doW4t2.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\doW4t2.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\users\user\appdata\local\temp\ai_f78c.ps1 -paths 'c:\users\user\appdata\roaming\your company\your application\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\your company\your application\prerequisites\aipackagechainer.exe' -retry_count 10"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\users\user\appdata\local\temp\ai_f78c.ps1 -paths 'c:\users\user\appdata\roaming\your company\your application\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\your company\your application\prerequisites\aipackagechainer.exe' -retry_count 10"			Jump to behavior

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_00331C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

45_2_00331C68

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005A4710 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

4_2_005A4710

Source: Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DA0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000027.00000000.2268180930.0000000000391000.00000002.00000001.01000000.0000000B.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerDA2A9C98D0BE5F"
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_002F0CA4 cpuid

45_2_002F0CA4

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	4_2_005D4DC0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_00606EC2
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_0060F284
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_006073C9
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_0060F4A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_0060F543
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_0060F58E
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_0060F629
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0060F6C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_0060F920
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0060FA45
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_0060FB4B
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0060FC27
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	45_2_00E7C0AD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	45_2_00E8107D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	45_2_00E81031
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	45_2_00E7C1B7
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,GetACP,	45_2_00E825C9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	45_2_00E7C9D1
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	47_2_019BDA05
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	47_2_019BE329
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	47_2_019C2989
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	47_2_019C29D5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	47_2_019BDB0F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	47_2_019C3F21

Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\clithe\file.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\clithe\file.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005F4355 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

4_2_005F4355

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_003159C7 GetUserNameW,

45_2_003159C7

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 45_2_0030B782 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

45_2_0030B782

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 4_2_005815F0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

4_2_005815F0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: find.exe, 0000001E.00000002.2257637328.000002498339B000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001E.00000002.2257730128.0000024983745000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumP
Source: file.exe, 00000027.00000003.2269497605.000000000135C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: YLJAXXBYLW]XB@3
Source: MSBuild.exe, 0000002E.00000002.3400764560.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: MSBuild.exe, 0000002E.00000002.3400764560.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: MSBuild.exe, 0000002E.00000002.3385347681.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: powershell.exe, 00000008.00000002.2313060224.0000000007AD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe, 0000002F.00000003.3104399885.0000000004888000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 00000030.00000002.3268979112.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5896, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_003523E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	45_2_003523E0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 45_2_00351DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	45_2_00351DD8
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DD23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	47_2_00DD23E0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 47_2_00DD1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	47_2_00DD1DD8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	341 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	31 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 Create Account	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	1 Windows Service	21 Access Token Manipulation	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	11 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	LSA Secrets	278 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 File Deletion	Cached Domain Credentials	571 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	21 Masquerading	DCSync	351 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	351 Virtualization/Sandbox Evasion	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	12 Process Injection	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
740d3a.msi	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-B174P.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SB6EB.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\file.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\is-3O9ML.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\is-AA44E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	0%	ReversingLabs
C:\Windows\Installer\MSIE24F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE4A1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE696.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE6E6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE735.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE774.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE90C.tmp	0%	ReversingLabs
C:\dbgbkfc\AutoIt3.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Vista Software.exe, 00000005.00000000.2160371198.0000000000A21000.00000020.00000001.01000000.00000006.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.2297404851.0000000005F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2277059050.0000000005ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000008.00000002.2255750077.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2247764460.0000000004E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2250253596.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.remobjects.com/ps	Vista Software.exe, 00000005.00000003.2167669347.000000007F84B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000005.00000003.2164502504.000000000315F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 00000006.00000000.2170071258.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Vista Software.tmp, 0000000A.00000000.2193818046.000000000097D000.00000020.00000001.01000000.00000009.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.2297404851.0000000005F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2277059050.0000000005ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.innosetup.com/	Vista Software.exe, 00000005.00000003.2167669347.000000007F84B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000005.00000003.2164502504.000000000315F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 00000006.00000000.2170071258.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Vista Software.tmp, 0000000A.00000000.2193818046.000000000097D000.00000020.00000001.01000000.00000009.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.2275179676.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/X	Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000027.00000000.2268475312.00000000003A5000.00000002.00000001.01000000.0000000B.sdmp, file.exe, 0000002D.00000000.2921494238.00000000003A5000.00000002.00000001.01000000.0000000B.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000000.3052534350.0000000000E25000.00000002.00000001.01000000.0000000D.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	Vista Software.tmp, 0000000A.00000003.2269602416.0000000007DAF000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962836146.00000000041E7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000002.2966905904.0000000004015000.00000004.00001000.00020000.00000000.sdmp, file.exe, 0000002D.00000003.2962972483.00000000040FB000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000002.3108575212.00000000046C5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002F.00000003.3104547290.00000000047AB000.00000004.00001000.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.2255750077.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2247764460.0000000004E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2250253596.0000000004F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000002E.00000002.3385347681.0000000003070000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.2250253596.00000000050E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2294302835.00000000075AD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe	MSBuild.exe, 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.114.47.186	unknown	Canada		16276	OVHFR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559267
Start date and time:	2024-11-20 11:15:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	740d3a.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@82/60@0/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 133 Number of non-executed functions: 197
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.113.110.67, 20.12.23.50, 192.229.221.95, 20.3.187.198, 199.232.214.172, 13.85.23.206
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 5896 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6040 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6640 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 740d3a.msi

Simulations

Behavior and APIs

Time	Type	Description
05:16:12	API Interceptor	1x Sleep call for process: Vista Software.tmp modified
05:16:12	API Interceptor	46x Sleep call for process: powershell.exe modified
05:17:33	API Interceptor	251x Sleep call for process: MSBuild.exe modified
11:17:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce eeacadf "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
11:17:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce eeacadf "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
167.114.47.186	Reminder.exe	Get hash	malicious	PureCrypter	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Reminder.exe	Get hash	malicious	PureCrypter	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://www.google.ca/url?q=30NUMBER&rct=77151727248916238810&sa=t&url=amp/s/estudioit.cl/starl/%23YW5nZWxhLmhvZGdzb25AMnNmZy5jb20=	Get hash	malicious	Unknown	Browse	13.107.246.45
	invoice.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.45
	215.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	213.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	212.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	Reminder.exe	Get hash	malicious	PureCrypter	Browse	192.229.221.95
	212.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	6GvQSVIEIu.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	NW_EmployerNewsletter_11142024_pdf.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	gggghh.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	file.exe	Get hash	malicious	Remcos	Browse	192.229.221.95
	https://www.amtso.org/check-desktop-phishing-page/	Get hash	malicious	Unknown	Browse	192.229.221.95
	FACTURA 4377.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	WEqMZ4qrbX.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	199.232.210.172
	MyInstaller_PDFGear.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	file.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Benefit Enrollment -wZ5nusm.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	6GvQSVIEIu.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Benefit Enrollment -eGz8VNb.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	217469812STM.pdf	Get hash	malicious	ScreenConnect Tool, Phisher	Browse	199.232.210.172
	file.exe	Get hash	malicious	Remcos	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	Reminder.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	arm.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	51.79.4.49
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	147.135.236.178
	https://usapress.info/inside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years/	Get hash	malicious	Unknown	Browse	54.38.113.5
	https://l.facebook.com/l.php?u=https%3A%2F%2Fusapress.info%2Finside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0r3IVxCUPtQPPqP5Ce0_adoAsiHgG3Oy1cYDq3k1JXBIrTGLtjToxlazM_aem_q02YsKkKY0QB_fm5suzUDw&h=AT1Xo_CkNlagO29_sds-m5zdTBZ6-H70m0J__7wjjmSNinwNGqBfRUFK3cH2zXJWNO7msrJPRkNulrkTmUCLkRNMcfCJTNK-cs4SfUQyRy7nw3vP1DNmFisBvlttaen8fHfi-N3lXN_BGQgdBw&__tn__=R%5D-R&c%5B0%5D=AT3euz91upHKeMVK8p24ktUFKClJ0GKt_3lJnV9tGakx0Tro3u7Ymk1z4tOG4eBZxcuD-Ny10eAla4iUyfdG04Fh4GryHwAMuELGG4dQctfWKiu4mfB-eLJ8Qktnq0ptzD_TaZEPEMHQnvP4W65jDpc-XBmWlMSmaRM-2soPhaPGYAODWegqP8h47S90Q2hmwQvQgUDdb35OgV1duzzqudMAyOk7e8E7mfpnrlwhIvWwUkK53AUNuPTqYkQ	Get hash	malicious	Unknown	Browse	54.38.113.3
	exe009.exe	Get hash	malicious	Emotet	Browse	54.38.143.245
	RFQ_TFS-1508-AL NASR userING.exe	Get hash	malicious	RedLine	Browse	193.70.111.186
	https://t.co/D4HGMmKLnL	Get hash	malicious	Unknown	Browse	51.222.206.130
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	147.135.31.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Reminder.exe	Get hash	malicious	PureCrypter	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.45
	https://orbistravelassistance.page/app/pages/login.php	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	13.107.246.45
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Doc_Comprovativo_Novembro_xoyx_18-11-2024_79.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	13.107.246.45
	https://c9amf220.caspio.com/dp/3ba5e0002add93b7ba4f4d22b51d	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.google.ca/url?q=30NUMBER&rct=77151727248916238810&sa=t&url=amp/s/estudioit.cl/starl/%23YW5nZWxhLmhvZGdzb25AMnNmZy5jb20=	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://load.webdatahoster.com	Get hash	malicious	Unknown	Browse	13.107.246.45

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-B174P.tmp\_isetup\_setup64.tmp	Reminder.exe	Get hash	malicious	PureCrypter	Browse
	reservation .exe	Get hash	malicious	TVrat	Browse
	reservation .exe	Get hash	malicious	TVrat	Browse
	oZ3vtWXObB.exe	Get hash	malicious	TVrat	Browse
	wjpP1EOX0L.exe	Get hash	malicious	TVrat	Browse
	PkWnPA8l7C.exe	Get hash	malicious	DBatLoader, TVrat	Browse
	oZ3vtWXObB.exe	Get hash	malicious	TVrat	Browse
	wjpP1EOX0L.exe	Get hash	malicious	TVrat	Browse
	1.exe	Get hash	malicious	DBatLoader, TVrat	Browse
	1.exe	Get hash	malicious	DBatLoader, TVrat	Browse

Created / dropped Files

C:\Config.Msi\3fe04d.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9435
Entropy (8bit):	5.579893777524464
Encrypted:	false
SSDEEP:	192:5YdeqI1U9NZOITNZOk4m3MYpBlEfQ/4puLpCdT7XppA:5F1UZfZb4m8YpBifQ/4p5dT7XppA
MD5:	B14415AB2C65E50F4D98D2C1B5DDB2F2
SHA1:	1E7875E0E97CAB89F70281F70C6DEE281636A4F2
SHA-256:	13D90EC4551A595D1A4AE9DC738BAE9ABF78C81A3B51A8BEC7CC8EA93E45B3B7
SHA-512:	6EBB0EEE0C349721726159136B6D2838AC884C78E266DF76230886082AD0A385E49D43AD2DF5CC55E94C7506622662E456639437321BB763D82ACA717FD66855
Malicious:	false
Preview:	...@IXOS.@.....@.*tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{2DB80D4A-91C8-4B46-99C2-BAAC7C0B3006}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@......&.{C7A8C515-ACD3-4411-99AD-EAD9719AE9CF}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@......&.{2DE3D436-1DE1-417A-9EA0-E82AF8BF7D62}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@........CreateFolders..Creating folders..Folder: [1]#.@.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....&.Software\Your Company\Your Application...@....(.&...Version..1.0.0'.&...Path@.C:\Users\user\AppData

C:\Config.Msi\3fe04f.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	399
Entropy (8bit):	4.948377753553006
Encrypted:	false
SSDEEP:	6:Ea3LMmoe/gReRY+Jy8QVkBMhiYBlSzVq2olnl/hkBdtsuRkYRsj9Yq:EgEOgRGYdTdhTSzVYnl/hitft2/
MD5:	483C5B606977D63561703617F5C4F1B7
SHA1:	865826D3C322F5BF4156F496C3E5E1472DDACB7C
SHA-256:	35FCDBF9929C5C8ADDF879A8200CCDDED73751FE8F15D4F9ECD5A3D532CEE019
SHA-512:	7A2E9842E8019C981654BA82F6C782D79A6F7624F657D0A4E6B725AFB432809CCA8789AAA48ACF76F311EC3F3DB3E34003A8EFEABA647FDA7B405E5FC395FBF4
Malicious:	false
Preview:	...@IXOS.@.....@.*tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....AI_LaunchChainer...@.....@.....@....

C:\ProgramData\doW4t2.a3x

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	5.344873306377427
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzetfE4KnKIE4oKNzKo9E4KhZsXE4qdKm:MxHKlYHKh3oRAHKzetfHKntHo6lHKmHA
MD5:	8255A4767725CC323842B221CEAFCBEE
SHA1:	537C8C5384748F137B339E39BC0A7FA90DBBC112
SHA-256:	7B368AA23DA44F0789862A83A2FA7BD40B1E1FB3C19E69005FAEA382DD0252F5
SHA-512:	C9B2DB6E3059872EEBF2DDBF2CE19A76D794C01D50E6A178108F5DAF29BA3B93DCF048C72A4414FAB83026BBE062C6DB5BA91657EF4706853A26980342E2CDD8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=n

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	5.437628337637955
Encrypted:	false
SSDEEP:	24:3TZJ0cYRSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tJBJt/NK3R8IHrENU:V6xRSU4y4RQmFoUeWmfmZ9tJBLNWR8IR
MD5:	354E43915CD106410E93384F1DBF3469
SHA1:	5F198B1785438387E7A4082DDDD818BB696CA708
SHA-256:	1FCBBCF09B534C84D87087F8FE0CC15F4D7EB33E72E2477C77A85F7F80189ED6
SHA-512:	A63B11987A4BF3A2C5B5A130084859B15382106C9A5A1D014C1F781B2A3505C5D46C1A3A6EA0316E842382E4A6AE8D2482995D8E18BFE565CA1A399AD093EE99
Malicious:	false
Preview:	@...e................................................@..........L...............h..t...D.d.u.........!.Microsoft.PowerShell.ScheduledJob...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Command

C:\Users\user\AppData\Local\Temp\AI_F78C.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23209
Entropy (8bit):	6.02302501724474
Encrypted:	false
SSDEEP:	384:gsurSpJjMPfBJZh+puH/aXAAtyIRWXISPVPXFtlMnOpkpNZRHbaQotu25tbJUuqS:IOpJjMPfBjhj/HkutPXFtleJ3F1oUaJL
MD5:	467774A57E387C18B5962AEAB412CDF5
SHA1:	15E5B916C5251A2D58CCA07381860A22E34BF1A5
SHA-256:	C57C9CE36B104FEBA7B9E0CAD5D37090C87CB3E351EDE658D1000B66ACAD24D9
SHA-512:	0C821543528827BE0D845421905551B07073D9ACBF7E4BC9F386B4808192E4BD28C27CF86ACCB4F7820F68829A0F4BF311BFE7A10B1388D8B385311A157430DB
Malicious:	true
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9bwYJKoZIhvcNAQcCoII9YDCCPVwCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ax5gg51.mrc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ceqbq3pg.ik3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hq41r5ld.5xg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5eynkwf.21d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khge5aeh.ut0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pj3du2ww.13m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3615232
Entropy (8bit):	6.746330366445845
Encrypted:	false
SSDEEP:	98304:7JYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh4:6VL/tnHGYiqlmhhhhhhhhhhhhhhhhhhq
MD5:	584586C0CF548DB94F76F124046D58D9
SHA1:	63BA86DC3AE44A60C315C29416EE89952F57DACF
SHA-256:	DD7B6FC3B236D3F6F5C8309B95A0748FEE3FA075E48F68DE381FD68210260FC2
SHA-512:	B3EF65AE20CA7992AF343397C68F8BE35A15437C24B35E878B9D349D5C9F6AF0FA8CB1BE4F8DA08DCBAD1D0C95DC36CED784F900696CF85F69C8D7A2148EA242
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-B174P.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Reminder.exe, Detection: malicious, Browse Filename: reservation .exe, Detection: malicious, Browse Filename: reservation .exe, Detection: malicious, Browse Filename: oZ3vtWXObB.exe, Detection: malicious, Browse Filename: wjpP1EOX0L.exe, Detection: malicious, Browse Filename: PkWnPA8l7C.exe, Detection: malicious, Browse Filename: oZ3vtWXObB.exe, Detection: malicious, Browse Filename: wjpP1EOX0L.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3615232
Entropy (8bit):	6.746330366445845
Encrypted:	false
SSDEEP:	98304:7JYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh4:6VL/tnHGYiqlmhhhhhhhhhhhhhhhhhhq
MD5:	584586C0CF548DB94F76F124046D58D9
SHA1:	63BA86DC3AE44A60C315C29416EE89952F57DACF
SHA-256:	DD7B6FC3B236D3F6F5C8309B95A0748FEE3FA075E48F68DE381FD68210260FC2
SHA-512:	B3EF65AE20CA7992AF343397C68F8BE35A15437C24B35E878B9D349D5C9F6AF0FA8CB1BE4F8DA08DCBAD1D0C95DC36CED784F900696CF85F69C8D7A2148EA242
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-SB6EB.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\file.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\is-3O9ML.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639357
Entropy (8bit):	6.7334924639235485
Encrypted:	false
SSDEEP:	98304:zJYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn:SVL/tnHGYiqlmhhhhhhhhhhhhhhhhhhh
MD5:	A502816878594E55FE6A4BF0383C9012
SHA1:	B37FD1BE34B7A76594240F60F226AE3CBD410AA3
SHA-256:	D4F4F74F71F52E6B17355B5ABEFDA78CFC9A5EB267213F4059922468C56B0277
SHA-512:	36C3C033E6E6C5B4D82CE5F5E6DFEC9D210B51ECF34A3DDBF3A3062FE27224D6824E15403B778D10A1C3C138450701BB6B0C8452794420F23FD8E5795FCDB7B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\clithe\is-512UL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\Users\user\AppData\Local\clithe\is-AA44E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\is-G6AC1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	61302
Entropy (8bit):	7.997489289281888
Encrypted:	true
SSDEEP:	1536:DuJTbCqFC3mhFOwLah/4qYkDwlCKA9J7lvUqHUkXun:CtblFbGwLa2kElnANcqHen
MD5:	F0ECA05CE9A3A95EB161E175654CBB49
SHA1:	65CF312004A77709C5181DF950F608AFBCAB92F7
SHA-256:	F50D9901798FB26B80F73685F340E769E16495E9CD7CD902321F474A11FECCB7
SHA-512:	EDEF43BD7565833C5033CE05CF611194BB6646465BC42F9A996A7C6C5AB6F90DF2E17A13DEC6DB45E1F402D25F6A168C9F2DEB17721D9ACF00769F2A83F3A2B8
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..................j.......j..kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..!..f.....'......b~....j..C...................j..m.....KF....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

C:\Users\user\AppData\Local\clithe\millhouse.cda (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\Users\user\AppData\Local\clithe\millhouse1.a3x (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	61302
Entropy (8bit):	7.997489289281888
Encrypted:	true
SSDEEP:	1536:DuJTbCqFC3mhFOwLah/4qYkDwlCKA9J7lvUqHUkXun:CtblFbGwLa2kElnANcqHen
MD5:	F0ECA05CE9A3A95EB161E175654CBB49
SHA1:	65CF312004A77709C5181DF950F608AFBCAB92F7
SHA-256:	F50D9901798FB26B80F73685F340E769E16495E9CD7CD902321F474A11FECCB7
SHA-512:	EDEF43BD7565833C5033CE05CF611194BB6646465BC42F9A996A7C6C5AB6F90DF2E17A13DEC6DB45E1F402D25F6A168C9F2DEB17721D9ACF00769F2A83F3A2B8
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..................j.......j..kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..!..f.....'......b~....j..C...................j..m.....KF....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

C:\Users\user\AppData\Local\clithe\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	InnoSetup Log 64-bit clithe, version 0x418, 6401 bytes, 571345\37\user\, C:\Users\user\AppData\Local\clithe\376
Category:	dropped
Size (bytes):	6401
Entropy (8bit):	3.891384038866669
Encrypted:	false
SSDEEP:	96:831W8JbGyaB9MDIdOTOGO/OzOGIuTXdHOkQCcbcuJlEDA4MZAe2L958rHhH:831W8TaBdUSn2yGIuLdHmbP4DSm9cHR
MD5:	CFEF5BCEC2622BCA39246D3BD5A10D63
SHA1:	8B16C7E92A0CDFB6E3BD8A95B2F60C17301A9535
SHA-256:	ECD791918601B4E51D0B3929776034FF779770DE686D6FF24A505351091CC058
SHA-512:	902D5E8E566D8C38948B6B02895598437408789BE7E9A0102072E7A0A58D4C4CE2A6780EDCA7AEB241B13DBFEAA723F1529C0BAB8575AF3F06AFF16EEEE7DD5C
Malicious:	false
Preview:	Inno Setup Uninstall Log (b) 64-bit.............................reclosable......................................................................................................................clithe......................................................................................................................................!................................................................................................................z...........X................5.7.1.3.4.5......e.n.g.i.n.e.e.r......C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.l.i.t.h.e....................... ..............IFPS....%........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.....................TFILETIME..................

C:\Users\user\AppData\Local\clithe\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639357
Entropy (8bit):	6.7334924639235485
Encrypted:	false
SSDEEP:	98304:zJYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn:SVL/tnHGYiqlmhhhhhhhhhhhhhhhhhhh
MD5:	A502816878594E55FE6A4BF0383C9012
SHA1:	B37FD1BE34B7A76594240F60F226AE3CBD410AA3
SHA-256:	D4F4F74F71F52E6B17355B5ABEFDA78CFC9A5EB267213F4059922468C56B0277
SHA-512:	36C3C033E6E6C5B4D82CE5F5E6DFEC9D210B51ECF34A3DDBF3A3062FE27224D6824E15403B778D10A1C3C138450701BB6B0C8452794420F23FD8E5795FCDB7B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3306790
Entropy (8bit):	7.790569470803338
Encrypted:	false
SSDEEP:	98304:/wREp+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh7:90hhhhhhhhhhhhhhhhhhhhhhhhhhhhhj
MD5:	35135E7F357C522D07DDD87307C0345C
SHA1:	758A12358ED51E44E37F238070F9407B0A017FC4
SHA-256:	1503447C30588583377509F44B075E99019A59899CA8E2A4B36A6602B39D4DC7
SHA-512:	D9020A8771277B0108C2CE1ECD07204AFBC88C6B183EBE257FA90C080FE031657CF79346D39B645B1FF8D9AEEF0A926318380E80561DEB19AB584A65E34A9DB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t........................@..................................d_...@......@...................p..q....P..........<R...........K2.@)...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...<R.......T..................@..@....................................@..@................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895488
Entropy (8bit):	6.4269201931011315
Encrypted:	false
SSDEEP:	24576:qReoHhWiBkVLQ/8MRdK6C5gU1We373cGx18Zh0:QwVdh1WebcGL8Zh0
MD5:	2C0130F614EA8C240320EC47D0008EEA
SHA1:	B4DA50EBBE6ADE459974E0A199F5C780D5AD19F7
SHA-256:	B78A85120AFAF0C2B7A132ECDB8C2DAA5C18190CEEE3F2F7420C1EDEE205F957
SHA-512:	381386DF46A30EF457BC2A63E010DFD7C116029D79B79BB8BC9236EBA4B4D673A5D97A4C4E7F1B32604CE653973E9C52B8B0E37F529015D12B13D614DB7BAED4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.Rm'.<>'.<>'.<>W8??+.<>W89?..<>7=???.<>7=8?5.<>W88?<.<>7=9?N.<>W8:?&.<>W8=?>.<>'.=>.<>o<5?..<>o<.>&.<>'..>&.<>o<>?&.<>Rich'.<>........PE..L...6..f.........."....).\...J......PM.......p....@..........................P......I;....@............................................../......................p...@...p...........................p...@............p..H...4........................text....[.......\.................. ..`.rdata..Xd...p...f...`..............@..@.data....p..........................@....didat.......`......................@....fptable.....p......................@....rsrc..../.......0..................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1476
Entropy (8bit):	3.4640389846399104
Encrypted:	false
SSDEEP:	24:Q+xMXor+8hXor/kPEE3XorRkPED5kPEcmXorRkPED5kPE9X7FDXorfzv:rx8JYenEnAnD5nc2AnD5nNZTg
MD5:	7B44AAA587D203438A70FE8A07E2C190
SHA1:	73D233DFEE1F5E56ED668328ED0C2ABEAA93EB9D
SHA-256:	5BD62FFEEFC9C43004BDE9B386398A399EBF10F05C5F0A620474D88C48D0429D
SHA-512:	1E020C5A736B6F38694C2F9C301872D9D31FBD3B82ECAB21DBCFB811EA5FA3BB86DC1AFCF561D37D8E6C57DDB9B1202C928467326F378DA83F2525F58B883369
Malicious:	false
Preview:	..[.G.e.n.e.r.a.l.O.p.t.i.o.n.s.].....O.p.t.i.o.n.s.=.b.h.....D.o.w.n.l.o.a.d.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....E.x.t.r.a.c.t.i.o.n.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....[.P.R.E.R.E.Q.U.I.S.I.T.E.S.].....A.p.p.1.=.V.i.s.t.a. .S.o.f.t.w.a.r.e.....[.A.p.p.1.].....S.e.t.u.p.F.i.l.e.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.V.i.s.t.a. .S.o.f.t.w.a.r.e.\.V.i.s.t.a. .S.o.f.t.w.a.r.e...e.x.e.....O.p.t.i.o.n.s.=.i.p.....[.P.R.E.R.E.Q._.C.H.A.I.N.E.R.].....C.l.e.a.n.u.p.F.i.l.e.s.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23209
Entropy (8bit):	6.02302501724474
Encrypted:	false
SSDEEP:	384:gsurSpJjMPfBJZh+puH/aXAAtyIRWXISPVPXFtlMnOpkpNZRHbaQotu25tbJUuqS:IOpJjMPfBjhj/HkutPXFtleJ3F1oUaJL
MD5:	467774A57E387C18B5962AEAB412CDF5
SHA1:	15E5B916C5251A2D58CCA07381860A22E34BF1A5
SHA-256:	C57C9CE36B104FEBA7B9E0CAD5D37090C87CB3E351EDE658D1000B66ACAD24D9
SHA-512:	0C821543528827BE0D845421905551B07073D9ACBF7E4BC9F386B4808192E4BD28C27CF86ACCB4F7820F68829A0F4BF311BFE7A10B1388D8B385311A157430DB
Malicious:	true
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9bwYJKoZIhvcNAQcCoII9YDCCPVwCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Installer\3fe04b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	6722560
Entropy (8bit):	7.310993946697638
Encrypted:	false
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
MD5:	64A6CF00B80FE77C16F6DA137DD7A9D1
SHA1:	F9365C7876AC8934A48237499CF8774FE78EA196
SHA-256:	630ACEFE136EA2E4BB95211A214E4829D8CB59D4D948B09221E61ACD278854BF
SHA-512:	FA1FCFB0E4CCE82656A377EF00FB4424860D40B6891FCA29AF240866EFDEC5A20BA16B615488252BE2B438E2415A068BD147A013AA140FE86E1EB061B4E1BC7C
Malicious:	false
Preview:	......................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...v.......\|.......g.......;...<...=...>...?...@...A...B...C...D...E...F...G...H...j#..k#..l#..m#..n#..o#..p#..q#..r#..s#..t#..u#..v#..w#..x#..y#..d+..e+..f+..g+..h+..i+..j+..k+..l+..m+..n+..o+..p+..q+..`2..w........................................2..............................................................................................................................................................................................................................<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\3fe04e.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	6722560
Entropy (8bit):	7.310993946697638
Encrypted:	false
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
MD5:	64A6CF00B80FE77C16F6DA137DD7A9D1
SHA1:	F9365C7876AC8934A48237499CF8774FE78EA196
SHA-256:	630ACEFE136EA2E4BB95211A214E4829D8CB59D4D948B09221E61ACD278854BF
SHA-512:	FA1FCFB0E4CCE82656A377EF00FB4424860D40B6891FCA29AF240866EFDEC5A20BA16B615488252BE2B438E2415A068BD147A013AA140FE86E1EB061B4E1BC7C
Malicious:	false
Preview:	......................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...v.......\|.......g.......;...<...=...>...?...@...A...B...C...D...E...F...G...H...j#..k#..l#..m#..n#..o#..p#..q#..r#..s#..t#..u#..v#..w#..x#..y#..d+..e+..f+..g+..h+..i+..j+..k+..l+..m+..n+..o+..p+..q+..`2..w........................................2..............................................................................................................................................................................................................................<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIE24F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE4A1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE696.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE6E6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE735.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE774.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIE802.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2255
Entropy (8bit):	5.691480201534586
Encrypted:	false
SSDEEP:	24:NTgIw1SzVaRu6RwIxKmBFpiy1n5extS4WZpUqJYDhiS3rQ+xtAmSXkXZwaniXSPb:Z9zVQRxBjS0ZYD8SBgeqanNb7NGbEC0N
MD5:	386B61D30FAA962B1EAE88987789A11F
SHA1:	47A400EC6A67C209CD259C9B9ABC01ABB06DA1FE
SHA-256:	CCE6854C4D6E41668236E97B227C63069AA5C043C0D5847C9F99088BA973DE6A
SHA-512:	D84F6E7C629A5DCC7A4D4123D58C6808925D7D58BF738F681480705ABBC056CD7BCE5955664C101972763BB701305B116CB0B50B85A1DD138569E80C2FD46929
Malicious:	false
Preview:	...@IXOS.@.....@.*tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{2DB80D4A-91C8-4B46-99C2-BAAC7C0B3006}@.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@.......@.....@.....@......&.{C7A8C515-ACD3-4411-99AD-EAD9719AE9CF}2.01:\Software\Your Company\Your Application\Version.@.......@.....@.....@......&.{2DE3D436-1DE1-417A-9EA0-E82AF8BF7D62}j.01:\Software\Caphyon\Advanced Installer\Prereqs\{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}\1.0.0\VISTASOFTWARE.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".@.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@...

C:\Windows\Installer\MSIE90C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIE9D9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.173321434833674
Encrypted:	false
SSDEEP:	12:EgETgRGYdTdhTSzVYnl/hitftEkzX+HIBDZxSl:8TgIw1SzVaRkzXRdxW
MD5:	889167CB574C93A2F1BB1FC72C520E7F
SHA1:	8D36E9E1440454E38CA939111D2A609B795A63B5
SHA-256:	97073FDB58CE66231247F16021B6F6ED92B87266C3CCD240A2FCD35C77BFF252
SHA-512:	B7A274B0CCFF5825E42304C04B50373D6F66CAE144BB67BD7B4BDF71976C6924FE45710FEC65D5CEBC2327789F714793DCFEBFE3AF36B716D492E6EAE94D1E00
Malicious:	false
Preview:	...@IXOS.@.....@.*tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........AI_LaunchChainer....J...AI_LaunchChainer.@....b.C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe...@.....@.....@....

C:\Windows\Installer\SourceHash{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1621766568616767
Encrypted:	false
SSDEEP:	12:JSbX72FjQAGiLIlHVRpth/7777777777777777777777777vDHFC67XKpSl0i8Q:JKQI5pR7XoF
MD5:	104C357E39ED16A1FDB592DE09189B99
SHA1:	08FCEB110ADE668ED5BA18A0543CD64EB5A17BC4
SHA-256:	A52051B156C52B24FDCC72AE6FBB8A52558BF1127A164867445A3C2913462214
SHA-512:	38278DF7275F0A168AC8C6673274FB6CE7262AD96D551EA71BE7E7107DE16E3DFD7D4A5FC6ABB0A90B4080305AC084B3AFEDE55DB07416BD94D80C62EAF260A7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5642883760363335
Encrypted:	false
SSDEEP:	48:e8PhduRc06WXJaFT5y4fSihAEbCywpfSilyy/:Rhd1RFTc4KwC5
MD5:	B77CD824A2198EC2A22FE21611094B97
SHA1:	553224C7FFC689B21C22DB83E7ED1F53233307B6
SHA-256:	4B8C84599ACC2A18759BE8FE125D05B6D8EA0CF92BE96D6EAB15433959993867
SHA-512:	3E672A8AEE40D9136002074157A776D3D84C8671F7756010D40591044B15160D1B2021D50C56DA4805B11C3D1AC6851F9FD2AE671F75216C43513B12D7D71C2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362987602186364
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaul:zTtbmkExhMJCIpEo
MD5:	FBB35085D6281490E8AF58DA6C1C86DA
SHA1:	091FDE70AC552E82FC797278B1D6994040F6A12F
SHA-256:	6BF867DCC34A149F8BC83421F1D7B07EF6A5BC3C27289702D080EA88AEA4AC9C
SHA-512:	9F14F5A7036AA0B04A56DFD302A2AE6B32D8F2822798D26827784B8D265D422D20508F0D2880258109845834E749F7E206C58282FBE5154E54DE520C9CD11B02
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF095723BA2DD45D1B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2545067952521851
Encrypted:	false
SSDEEP:	48:RalubO+CFXJLT5z4fSihAEbCywpfSilyy/:Ql3zT14KwC5
MD5:	EAF0FEBF62B62A18D0E34AE1FF63E6D8
SHA1:	45BDC6827C3F8583DA8D311C762DC8AD80086DEE
SHA-256:	E30D104A11C8E03B5A95ECAB9AE7A0E0C277B49C1965F463497537632F0D86D6
SHA-512:	F27846E2811122DAD2F3BE4861ADF1A39605F4AAABA9626A4954225DFB763750FD5EFCEABB52DA3C449A45F9777559B248CA657C65C20B0843564635CE6EC2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF152463433D85EFE7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF36DE6CBB6E7B7A4F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2545067952521851
Encrypted:	false
SSDEEP:	48:RalubO+CFXJLT5z4fSihAEbCywpfSilyy/:Ql3zT14KwC5
MD5:	EAF0FEBF62B62A18D0E34AE1FF63E6D8
SHA1:	45BDC6827C3F8583DA8D311C762DC8AD80086DEE
SHA-256:	E30D104A11C8E03B5A95ECAB9AE7A0E0C277B49C1965F463497537632F0D86D6
SHA-512:	F27846E2811122DAD2F3BE4861ADF1A39605F4AAABA9626A4954225DFB763750FD5EFCEABB52DA3C449A45F9777559B248CA657C65C20B0843564635CE6EC2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E2DFAA254D6C083.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13843974838632944
Encrypted:	false
SSDEEP:	24:x5yAB/5kXoIipVkXoSkXoIipVkXoKAEVkyjCywVgwGMWz8+khO:vyy/mfSiOfSihAEbCywf
MD5:	EE3F405EE3625346ED7816A2FD797D95
SHA1:	ABA968F67A78C7B346279C25EC10477C331532C0
SHA-256:	6574FE391A3EB99A61AA509DC45A456339EB000DE77D31CC9BB507E31F2D0E48
SHA-512:	38F1EAF16B6F75B8D15F08226DC1970B4C1BA7EB871417ADA71D899C8E8BB9DDFBF14CF8787F62A5F91BBEDC2E691CF07590C1DC13768501BFF7C16D2126E91F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E93BBF717D8C96A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5EF30F06BEF12E99.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	modified
Size (bytes):	32768
Entropy (8bit):	1.2545067952521851
Encrypted:	false
SSDEEP:	48:RalubO+CFXJLT5z4fSihAEbCywpfSilyy/:Ql3zT14KwC5
MD5:	EAF0FEBF62B62A18D0E34AE1FF63E6D8
SHA1:	45BDC6827C3F8583DA8D311C762DC8AD80086DEE
SHA-256:	E30D104A11C8E03B5A95ECAB9AE7A0E0C277B49C1965F463497537632F0D86D6
SHA-512:	F27846E2811122DAD2F3BE4861ADF1A39605F4AAABA9626A4954225DFB763750FD5EFCEABB52DA3C449A45F9777559B248CA657C65C20B0843564635CE6EC2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8868E54FFDF9A454.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9D1252DE955DC7F8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA645E85E410366CF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBEA9D0A8BC70B5C0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06913493440520613
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOCE0O7XpiYtQVky6lS:2F0i8n0itFzDHFC67XfS
MD5:	054515D24A534599AE0802B60903105F
SHA1:	F27A778DBA04930D1F8AB514957C692807DC1DFB
SHA-256:	140247C06F0F48A7A2D793A7F4C8ABFD30BFAECEEF0370DB1F5B9EAC4AA6E7B7
SHA-512:	0A2AF47BC3E9DEB6562F0B1039982FA0A8047BFE790A2DF09426F27CC08CFBADA7446BCF878E94D9D21BCA2961AB52F8BE57E34EFB13CF29CC9D8EBBA0FC2779
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC0A52FF22BAF0E61.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5642883760363335
Encrypted:	false
SSDEEP:	48:e8PhduRc06WXJaFT5y4fSihAEbCywpfSilyy/:Rhd1RFTc4KwC5
MD5:	B77CD824A2198EC2A22FE21611094B97
SHA1:	553224C7FFC689B21C22DB83E7ED1F53233307B6
SHA-256:	4B8C84599ACC2A18759BE8FE125D05B6D8EA0CF92BE96D6EAB15433959993867
SHA-512:	3E672A8AEE40D9136002074157A776D3D84C8671F7756010D40591044B15160D1B2021D50C56DA4805B11C3D1AC6851F9FD2AE671F75216C43513B12D7D71C2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD5133AE6B9AF9CCC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE1DD5448196992C6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5642883760363335
Encrypted:	false
SSDEEP:	48:e8PhduRc06WXJaFT5y4fSihAEbCywpfSilyy/:Rhd1RFTc4KwC5
MD5:	B77CD824A2198EC2A22FE21611094B97
SHA1:	553224C7FFC689B21C22DB83E7ED1F53233307B6
SHA-256:	4B8C84599ACC2A18759BE8FE125D05B6D8EA0CF92BE96D6EAB15433959993867
SHA-512:	3E672A8AEE40D9136002074157A776D3D84C8671F7756010D40591044B15160D1B2021D50C56DA4805B11C3D1AC6851F9FD2AE671F75216C43513B12D7D71C2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE69D4E64179F27DD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2545067952521851
Encrypted:	false
SSDEEP:	48:RalubO+CFXJLT5z4fSihAEbCywpfSilyy/:Ql3zT14KwC5
MD5:	EAF0FEBF62B62A18D0E34AE1FF63E6D8
SHA1:	45BDC6827C3F8583DA8D311C762DC8AD80086DEE
SHA-256:	E30D104A11C8E03B5A95ECAB9AE7A0E0C277B49C1965F463497537632F0D86D6
SHA-512:	F27846E2811122DAD2F3BE4861ADF1A39605F4AAABA9626A4954225DFB763750FD5EFCEABB52DA3C449A45F9777559B248CA657C65C20B0843564635CE6EC2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\dbgbkfc\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\dbgbkfc\eeacadf.a3x

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.9404427828211634
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeT0s+sEAFSkIrxMVlmJHaVzvv:/2fAokItULVDv
MD5:	1D785D889CA617298A68D26DFEF974C4
SHA1:	1CC36474033E2767B059019B12782CE558F1EA34
SHA-256:	FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
SHA-512:	EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Entropy (8bit):	7.310993946697638
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	740d3a.msi
File size:	6'722'560 bytes
MD5:	64a6cf00b80fe77c16f6da137dd7a9d1
SHA1:	f9365c7876ac8934a48237499cf8774fe78ea196
SHA256:	630acefe136ea2e4bb95211a214e4829d8cb59d4d948b09221e61acd278854bf
SHA512:	fa1fcfb0e4cce82656a377ef00fb4424860d40b6891fca29af240866efdec5a20ba16b615488252be2b438e2415a068bd147a013aa140fe86e1eb061b4e1bc7c
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
TLSH:	D366D02176CBC03AE16D06725679EB6E503FBD220B3154C7A3E4796D9D307C12A3AA4F
File Content Preview:	........................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4..

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T11:17:34.367937+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	167.114.47.186	56001	192.168.2.6	49984	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 11:16:00.921907902 CET	49674	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:00.921911001 CET	49673	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:01.203066111 CET	49672	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:10.531184912 CET	49674	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:10.531193972 CET	49673	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:10.628014088 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:10.628051996 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:10.628127098 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:10.628515959 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:10.628535986 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:10.812439919 CET	49672	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:11.289833069 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.290081978 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.300230980 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.300271034 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.300546885 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.311961889 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.355479002 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.416085005 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.416109085 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.416125059 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.416232109 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.416261911 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.416312933 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.500118971 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.500138998 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.500206947 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.500236988 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.500264883 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.500308990 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.502363920 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.502382040 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.502441883 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.502448082 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.502939939 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.587513924 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.587537050 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.587668896 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.587703943 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.589011908 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.589034081 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.589080095 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.589092016 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.589123011 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.590361118 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.590394020 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.590400934 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.590411901 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.590432882 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.590450048 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.590454102 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.590483904 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.591353893 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.591815948 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.591834068 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.591921091 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.591921091 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.591928959 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.596128941 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.682252884 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.682323933 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.682435989 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.682435989 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.682461023 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.683413982 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.683466911 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.683511019 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.683531046 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.683559895 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.683782101 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.685395956 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.685457945 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.685493946 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.685513020 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.685547113 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.685594082 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.687206984 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.687351942 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.687421083 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.687443018 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.687472105 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.687650919 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.688407898 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.688477039 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.688513994 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.688525915 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.688559055 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.688849926 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.689941883 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.689989090 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.690085888 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.690085888 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.690103054 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.690123081 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.690229893 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:11.690238953 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.690331936 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:11.690423012 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.336658001 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.337241888 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.337241888 CET	49713	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.337291002 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.337320089 CET	443	49713	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.452507973 CET	443	49710	173.222.162.64	192.168.2.6
Nov 20, 2024 11:16:12.452614069 CET	49710	443	192.168.2.6	173.222.162.64
Nov 20, 2024 11:16:12.506448984 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.506519079 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.506592035 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.508140087 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.508239031 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.508311033 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.509922981 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.510006905 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.510086060 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.511126995 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.511162043 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.511215925 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.513572931 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.513596058 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.513650894 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514100075 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514133930 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.514173031 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514189005 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.514262915 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514281988 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.514415979 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514446020 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:12.514564991 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:12.514600992 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.163640976 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.164562941 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.164653063 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.166249990 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.166264057 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.169323921 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.169809103 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.169827938 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.170259953 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.170275927 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.184875965 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.187350035 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.187386036 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.187891960 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.187900066 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.194969893 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.195791960 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.200998068 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.201102018 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.201437950 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.201452971 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.202907085 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.202925920 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.206886053 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.206892014 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.265384912 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.265455008 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.265588999 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.265872955 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.265872955 CET	49718	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.265921116 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.265947104 CET	443	49718	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.270622015 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.270668030 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.270726919 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.270898104 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.270915031 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271260023 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271287918 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271351099 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.271373987 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271395922 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271445990 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.271544933 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.271544933 CET	49716	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.271560907 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.271579981 CET	443	49716	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.275466919 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.275500059 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.275738001 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.277122021 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.277132988 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.293720961 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.293744087 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.293908119 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.293929100 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.294251919 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.294307947 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.294377089 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.294393063 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.294404030 CET	49717	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.294410944 CET	443	49717	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.297760963 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.297804117 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.297861099 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.298006058 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.298028946 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.304848909 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.304917097 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.304972887 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.305202961 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.305222988 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.305236101 CET	49715	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.305243015 CET	443	49715	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.308065891 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.308084965 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.308146954 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.308319092 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.308329105 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.311669111 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.311726093 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.311795950 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.311814070 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.311855078 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.311880112 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.312014103 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.313678980 CET	49714	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.313689947 CET	443	49714	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.317087889 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.317116976 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.317188025 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.317399025 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.317414045 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.849450111 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.849982023 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.849997044 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.850636959 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.850642920 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.935964108 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.939570904 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.939603090 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.940206051 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.940213919 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.951937914 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.952020884 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.952069044 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.952313900 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.952334881 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.952343941 CET	49720	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.952356100 CET	443	49720	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.955992937 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.957442045 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.957468987 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.958015919 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.958023071 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.962421894 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.962543011 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.962582111 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.962714911 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.962856054 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.962866068 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.963012934 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.963278055 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.963284016 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.963543892 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.963557959 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.963833094 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.963849068 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:13.963927031 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:13.963929892 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.037142038 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.037239075 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.037298918 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.038687944 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.038714886 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.038731098 CET	49719	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.038738012 CET	443	49719	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.056493998 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.056714058 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.056871891 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.062872887 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.062946081 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.063663006 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.064007998 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.064085960 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.065565109 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.100018024 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.100054979 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.100071907 CET	49721	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.100080013 CET	443	49721	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.105849028 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.105859995 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.105871916 CET	49723	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.105876923 CET	443	49723	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.106522083 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.106554031 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.106566906 CET	49722	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.106574059 CET	443	49722	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.108268023 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.108341932 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.108414888 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.109452963 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.109492064 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.109555960 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.118571997 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.118611097 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.120795012 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.120805979 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.126579046 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.126631021 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.126708031 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.126833916 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.126847029 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.130614996 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.130626917 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.130753994 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.131957054 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.131973028 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.630565882 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.732692003 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.732708931 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.733249903 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.733258963 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.770874023 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.770925999 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.771871090 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.772133112 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.840830088 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.840967894 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:14.841506004 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.859354973 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.859380960 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.906311035 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:14.906311035 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.126070976 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.126120090 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.129092932 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.129101038 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.133416891 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.133452892 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.133939981 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.133951902 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.134181976 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.134181976 CET	49724	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.134211063 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.134222031 CET	443	49724	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.135740042 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.135757923 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.136738062 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.136744022 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.137063980 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.137094975 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.137564898 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.137573957 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.225464106 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.225655079 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.226284981 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.233170986 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.233421087 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.233477116 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.234149933 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.234513998 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.234525919 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.234616995 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.234819889 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.234864950 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.271155119 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.271209002 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.271326065 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.273452044 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.273473978 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.273785114 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.273830891 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.273850918 CET	49725	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.273859978 CET	443	49725	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.274131060 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.274139881 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.274151087 CET	49728	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.274156094 CET	443	49728	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.281867981 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.281919956 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.282222033 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.282478094 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.282500029 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.282851934 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.282881021 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.282896042 CET	49726	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.282903910 CET	443	49726	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.286072969 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.286094904 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.286109924 CET	49727	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.286117077 CET	443	49727	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.362936020 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.362972975 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.363049030 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.378386021 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.378408909 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.392477036 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.392530918 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.392618895 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.392800093 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.392813921 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.395910025 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.395952940 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.396059036 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.396253109 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.396264076 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.918484926 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.935139894 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.935168982 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.935837030 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.935846090 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.942564011 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.943069935 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.943104029 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:15.943824053 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:15.943840027 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.035970926 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.036149025 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.036216021 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.044032097 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.055392027 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.055418015 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.055458069 CET	49729	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.055468082 CET	443	49729	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.056605101 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.056684017 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.056787014 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.057346106 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.057374001 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.057390928 CET	49730	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.057398081 CET	443	49730	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.058697939 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.058707952 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.059247971 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.059253931 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.061379910 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.063832998 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.063860893 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.064492941 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.064507961 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.072500944 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.072544098 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.072617054 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.073620081 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.073635101 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.074479103 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.074517012 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.074611902 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.075484991 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.075506926 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.075530052 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.075845003 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.075854063 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.076641083 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.076646090 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.165188074 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.165309906 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.165369987 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.166627884 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.166692972 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.166831017 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.175789118 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.175815105 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.175828934 CET	49731	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.175834894 CET	443	49731	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.182842016 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.182934046 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.182998896 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.184580088 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.184602022 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.184613943 CET	49732	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.184619904 CET	443	49732	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.193526030 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.193550110 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.193562984 CET	49733	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.193569899 CET	443	49733	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.207679033 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.207725048 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.207803965 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.209398985 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.209496975 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.209562063 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.211021900 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.211035967 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.211968899 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.211985111 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.212039948 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.212141991 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.212153912 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.212323904 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.212332010 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.715594053 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.717137098 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.717152119 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.717952013 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.717957020 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.726861000 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.727648973 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.727663994 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.728394032 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.728398085 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.821805954 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.821871996 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.821995020 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.822500944 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.822530031 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.822572947 CET	49735	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.822578907 CET	443	49735	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.830212116 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.830255032 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.830372095 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.830533981 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.830547094 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.838268042 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.838434935 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.838505030 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.838542938 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.838562012 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.838576078 CET	49734	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.838581085 CET	443	49734	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.841615915 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.841681957 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.841782093 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.841927052 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.841948986 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.855529070 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.855952978 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.855964899 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.856437922 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.856441021 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.877621889 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.878012896 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.878037930 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.878436089 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.878441095 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.888488054 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.889122009 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.889128923 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.889834881 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.889837980 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.961271048 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.961322069 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.961374998 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.963025093 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.963038921 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.963048935 CET	49736	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.963052988 CET	443	49736	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.973586082 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.973620892 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.974205971 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.983485937 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.983499050 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.988529921 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.988621950 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.988889933 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.988969088 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.988970041 CET	49737	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:16.989013910 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:16.989041090 CET	443	49737	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.058404922 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.058461905 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.058581114 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.069880962 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.069911957 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.070991039 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.071053982 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.071130037 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.071280003 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.071290970 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.071305037 CET	49738	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.071310043 CET	443	49738	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.102886915 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.102931023 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.103138924 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.103833914 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.103857040 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.470416069 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.471775055 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.471808910 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.472246885 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.472253084 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.491425037 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.492978096 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.493000984 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.493700027 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.493707895 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.569776058 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.569827080 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.569874048 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.570257902 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.570277929 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.570288897 CET	49739	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.570293903 CET	443	49739	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.575426102 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.575448990 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.575530052 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.576065063 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.576076984 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.591459036 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.591605902 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.591677904 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.591798067 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.591798067 CET	49740	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.591840982 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.591866016 CET	443	49740	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.594120026 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.594150066 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.594242096 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.594432116 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.594444036 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.618566036 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.622391939 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.622411966 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.622881889 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.622886896 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.704345942 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.723999977 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.724078894 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.724153042 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.737041950 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.737104893 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.737742901 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.737756968 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.738168955 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.738208055 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.738234997 CET	49741	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.738250971 CET	443	49741	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.743638039 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.743731022 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.743807077 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.743997097 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.744019032 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.803656101 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.804332018 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.804362059 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.804703951 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.804709911 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.850471020 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.850552082 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.850661039 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.852469921 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.852526903 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.852557898 CET	49742	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.852576017 CET	443	49742	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.858881950 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.858933926 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.858994007 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.859806061 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.859818935 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.953788042 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.953941107 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.954004049 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.955178976 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.955208063 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.955224037 CET	49743	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.955230951 CET	443	49743	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.960062027 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.960108042 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:17.960221052 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.960453987 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:17.960470915 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.217473984 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.218115091 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.218153000 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.218622923 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.218631029 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.268909931 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.269493103 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.269526958 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.270145893 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.270152092 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.333667040 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.333744049 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.333914995 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.334099054 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.334099054 CET	49744	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.334147930 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.334177971 CET	443	49744	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.337692022 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.337749004 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.338691950 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.339092970 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.339108944 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.373013973 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.373172998 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.373241901 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.373367071 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.373388052 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.373404026 CET	49745	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.373409033 CET	443	49745	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.396898985 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.407088995 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.407136917 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.407744884 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.407763004 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.409537077 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.409588099 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.409729958 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.412100077 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.412127018 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.504980087 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.505054951 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.505186081 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.505470991 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.505512953 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.505538940 CET	49746	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.505553961 CET	443	49746	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.509054899 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.509139061 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.509249926 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.509521961 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.509551048 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.511173964 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.511548042 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.511585951 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.512041092 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.512049913 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.614887953 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.614959955 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.615972042 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.616857052 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.616883993 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.616911888 CET	49747	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.616918087 CET	443	49747	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.622864008 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.622909069 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.623337984 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.623656034 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.623673916 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.626851082 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.627819061 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.627819061 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.627847910 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.627886057 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.729898930 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.729960918 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.730035067 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.753009081 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.753009081 CET	49748	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.753046989 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.753061056 CET	443	49748	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.777718067 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.777766943 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:18.777843952 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.779606104 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:18.779623985 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.007282019 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.014874935 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.014908075 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.016861916 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.016881943 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.057173014 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.058589935 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.058656931 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.059082031 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.059098005 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.116854906 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.116924047 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.117064953 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.120835066 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.120835066 CET	49749	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.120887995 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.120918036 CET	443	49749	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.128802061 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.128846884 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.129213095 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.129796028 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.129817009 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.157505035 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.157697916 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.157798052 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.157843113 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.157843113 CET	49750	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.157867908 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.157881021 CET	443	49750	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.166506052 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.166552067 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.166659117 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.167375088 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.167392015 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.181982994 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.182627916 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.182677984 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.183274031 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.183288097 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.266887903 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.272202015 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.272212982 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.272694111 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.272701025 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.293982983 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.294048071 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.294112921 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.294380903 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.294416904 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.294460058 CET	49751	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.294476032 CET	443	49751	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.329601049 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.329648972 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.329713106 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.336534023 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.336546898 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.371335030 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.371433020 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.371598959 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.381432056 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.381449938 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.381470919 CET	49752	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.381477118 CET	443	49752	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.429903984 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.449079037 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.449115038 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.449595928 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.449601889 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.498159885 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.498209000 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.498387098 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.509761095 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.509787083 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.548048019 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.548136950 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.548480034 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.549693108 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.549719095 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.549736977 CET	49753	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.549743891 CET	443	49753	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.560308933 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.560349941 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.560414076 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.561922073 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.561939955 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.798271894 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.815330982 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.815330982 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.815359116 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.815373898 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.855202913 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.875797033 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.875829935 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.876290083 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.876295090 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.917979956 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.918045044 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.918431044 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.956366062 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.956366062 CET	49754	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.956382990 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.956392050 CET	443	49754	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.980731964 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.980809927 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:19.980863094 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:19.991683006 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.041511059 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.041524887 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.041553020 CET	49755	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.041558027 CET	443	49755	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.048746109 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.048774004 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.053433895 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.053438902 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.094296932 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.094342947 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.094418049 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.152129889 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.152178049 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.152216911 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.153984070 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.154004097 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.155874968 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.155901909 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.155971050 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.156102896 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.156116009 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.157239914 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.157257080 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.157270908 CET	49757	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.157275915 CET	443	49757	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.170800924 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.176157951 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.176194906 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.176327944 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.197654963 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.197674036 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.198389053 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.198393106 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.199394941 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.199424982 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.213413954 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.213800907 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.213820934 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.214277983 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.214282990 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.296611071 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.296777010 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.296876907 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.297974110 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.297974110 CET	49758	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.297991991 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.298001051 CET	443	49758	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.305624008 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.305668116 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.305756092 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.306530952 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.306548119 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.314255953 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.314327955 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.314378023 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.314562082 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.314578056 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.314588070 CET	49759	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.314593077 CET	443	49759	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.317895889 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.317929983 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.317989111 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.318478107 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.318494081 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.791996956 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.826406956 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.832150936 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.832182884 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.832897902 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.832971096 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.832974911 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.832995892 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.833322048 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.833355904 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.842736959 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.843209028 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.843242884 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.844160080 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.844166994 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.933515072 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.933603048 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.933722019 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.940459013 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.940511942 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.940577030 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.954068899 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.954139948 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.954174995 CET	49760	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.954195023 CET	443	49760	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.955749989 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.955777884 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.955779076 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.955805063 CET	49762	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.955817938 CET	443	49762	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.958043098 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.958236933 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.958286047 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.960581064 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.967005968 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.967026949 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.967482090 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.967489004 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.971349001 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.971417904 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.971492052 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.971729994 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.971759081 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.972085953 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.972100019 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.972496033 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.972506046 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.972668886 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.972695112 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:20.972711086 CET	49761	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:20.972717047 CET	443	49761	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.021367073 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.021445036 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.021524906 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.022665977 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.022708893 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.022928953 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.031100035 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.031136036 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.031286955 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.031301022 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.064414978 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.064623117 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.064683914 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.067980051 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.068125010 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.068191051 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.068419933 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.068440914 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.068453074 CET	49763	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.068459034 CET	443	49763	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.089638948 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.089680910 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.089709044 CET	49764	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.089724064 CET	443	49764	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.159276009 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.159323931 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.159437895 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.165663958 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.165713072 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.165930033 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.173264980 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.173283100 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.173496962 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.173526049 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.822109938 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.822727919 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.826018095 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.868439913 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.868493080 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.868907928 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.868916988 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.869141102 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.869157076 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.869378090 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.869421005 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.869601011 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.869616032 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.869870901 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.869884968 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.969448090 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.969593048 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.969605923 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.969679117 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.969846010 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.969906092 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.970777035 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.970969915 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.971055984 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.992887020 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.992887020 CET	49767	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.992933035 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.992957115 CET	443	49767	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.993058920 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.993058920 CET	49766	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.993110895 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.993134975 CET	443	49766	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.995630980 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.995630980 CET	49768	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:21.995656013 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:21.995666981 CET	443	49768	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.004751921 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.004790068 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.004918098 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.006254911 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.006300926 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.006350994 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.007711887 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.007721901 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.007894993 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.007940054 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.007952929 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.008647919 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.008663893 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.009067059 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.009078026 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.016314030 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.016736984 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.016750097 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.017208099 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.017213106 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.017316103 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.017672062 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.017702103 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.018022060 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.018028021 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.115000010 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.115072966 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.115143061 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.115537882 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.115561008 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.115572929 CET	49769	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.115577936 CET	443	49769	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.118913889 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.118952990 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.119008064 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.119755030 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.119766951 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.136848927 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.136905909 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.137010098 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.137439966 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.137440920 CET	49770	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.137470961 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.137480974 CET	443	49770	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.139724970 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.139749050 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.139844894 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.140194893 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.140201092 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.662597895 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.664108992 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.664125919 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.673820972 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.673830986 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.686460972 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.687182903 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.687206030 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.687686920 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.687691927 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.696012020 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.696455956 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.696479082 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.696929932 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.696933985 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.774759054 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.774935961 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.774982929 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.775213003 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.775232077 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.775243998 CET	49774	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.775249958 CET	443	49774	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.776699066 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.778726101 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.778760910 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.778821945 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.779149055 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.779181957 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.779616117 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.779624939 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.779942036 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.779958010 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.787044048 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.787414074 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.787446022 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.787875891 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.787883043 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.790374041 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.790545940 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.790597916 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.790620089 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.790628910 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.790638924 CET	49772	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.790652990 CET	443	49772	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.792829990 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.792865038 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.792928934 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.793077946 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.793091059 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.802386999 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.802551031 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.802612066 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.802936077 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.802958965 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.802972078 CET	49773	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.802978039 CET	443	49773	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.805541039 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.805567026 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.805669069 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.805793047 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.805809021 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.879962921 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.880120039 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.880183935 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.881141901 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.881165028 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.881176949 CET	49775	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.881181955 CET	443	49775	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.884713888 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.884737968 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.884798050 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.884965897 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.884975910 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.890405893 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.890480995 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.890644073 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.890778065 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.890794039 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.890805006 CET	49776	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.890810966 CET	443	49776	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.900168896 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.900202990 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:22.900275946 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.901264906 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:22.901279926 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.444595098 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.445293903 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.445311069 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.445724964 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.445758104 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.445764065 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.446301937 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.446312904 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.446459055 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.446463108 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.472157955 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.476622105 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.476650000 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.477145910 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.477150917 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.550079107 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.550261974 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.550360918 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.550431013 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.550544024 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.550607920 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.562331915 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.562985897 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.562985897 CET	49779	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.563009977 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.563020945 CET	443	49779	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.564932108 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.564932108 CET	49777	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.564939976 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.564948082 CET	443	49777	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.567270994 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.570421934 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.570441961 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.570883036 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.570897102 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.571199894 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.571235895 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.571577072 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.571583033 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.574021101 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.574054003 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.574112892 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.575623035 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.575634956 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.575999022 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.576039076 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.576209068 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.576309919 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.576325893 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.579740047 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.579927921 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.580015898 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.580064058 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.580081940 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.580092907 CET	49778	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.580099106 CET	443	49778	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.582087040 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.582123995 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.582250118 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.582428932 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.582444906 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.679183960 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.679255962 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.679336071 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.679462910 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.679604053 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.679789066 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.680175066 CET	49781	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.680195093 CET	443	49781	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.680285931 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.680325985 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.680355072 CET	49780	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.680370092 CET	443	49780	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.688695908 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.688787937 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.688924074 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.689434052 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.689469099 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.689568996 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.689620018 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:23.689726114 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.690011024 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:23.690027952 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.216411114 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.217103004 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.217189074 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.217633963 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.217648983 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.221112013 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.221823931 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.221846104 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.222268105 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.222280025 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.224173069 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.224879026 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.224904060 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.225263119 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.225270033 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.317634106 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.317794085 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.317951918 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.318075895 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.318106890 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.318111897 CET	49782	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.318121910 CET	443	49782	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.320962906 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321058035 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.321291924 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321501017 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321537971 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.321602106 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.321682930 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.321736097 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321882010 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321913004 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.321933985 CET	49784	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.321939945 CET	443	49784	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.326783895 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.326875925 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.327022076 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.327271938 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.327301979 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.345614910 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.345704079 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.345762014 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.345937014 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.345952034 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.345963001 CET	49783	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.345968962 CET	443	49783	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.346318960 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.347556114 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.347604990 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.348087072 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.348100901 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.350125074 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.350214958 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.350334883 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.350562096 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.350598097 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.364878893 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.367937088 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.367961884 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.368402004 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.368412018 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.449400902 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.449543953 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.449615002 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.449738026 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.449784040 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.449815989 CET	49785	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.449831009 CET	443	49785	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.453830004 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.453888893 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.453993082 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.454178095 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.454196930 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.476633072 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.476716995 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.476766109 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.477200985 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.477219105 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.477252960 CET	49786	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.477257967 CET	443	49786	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.481129885 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.481215954 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:24.481308937 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.481575966 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:24.481627941 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.139761925 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.140328884 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.140425920 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.140497923 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.140675068 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.140738964 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.140779972 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.141056061 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.141071081 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.141159058 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.141166925 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.141385078 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.141423941 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.141725063 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.141747952 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.144526005 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.144891024 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.144901037 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.145337105 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.145343065 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.147088051 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.147412062 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.147440910 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.147780895 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.147793055 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.242975950 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.243053913 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.243329048 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.243763924 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.243912935 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.243976116 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.246184111 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.246326923 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.246386051 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.247420073 CET	49790	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.247462034 CET	443	49790	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.249766111 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.249825954 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.249859095 CET	49787	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.249876976 CET	443	49787	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.253272057 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.253424883 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.253552914 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.256167889 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.256247044 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.256347895 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.257136106 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.257136106 CET	49788	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.257157087 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.257177114 CET	443	49788	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.258692026 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.258717060 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.258730888 CET	49789	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.258739948 CET	443	49789	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.264014959 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.264023066 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.264038086 CET	49791	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.264043093 CET	443	49791	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.291389942 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.291435003 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.291565895 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.292648077 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.292700052 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.292764902 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.298235893 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.298247099 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.298295975 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.300448895 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.300491095 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.300544977 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.301744938 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.301762104 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.301879883 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.301894903 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.302177906 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.302194118 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.306267023 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.306334972 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.306416988 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.306529045 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.306540012 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.307089090 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.307113886 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.946906090 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.947124958 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.958518028 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.963807106 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.966828108 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.966893911 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.967528105 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.967542887 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.967853069 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.967888117 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.968266010 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.968271971 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.968627930 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.968699932 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.969055891 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.969069958 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.969980001 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.970431089 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.970458031 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.970824957 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.970835924 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.971415997 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.971431017 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:25.971966982 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:25.971971989 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.064275980 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.064306974 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.064378023 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.064409018 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.064699888 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.064742088 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.065284014 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.065305948 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.065359116 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.065362930 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.065571070 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.066304922 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.066382885 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.066526890 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.066956043 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.066982031 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.066997051 CET	49792	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.067003012 CET	443	49792	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.068744898 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.068769932 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.068800926 CET	49796	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.068808079 CET	443	49796	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.071006060 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.071036100 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.071053982 CET	49793	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.071062088 CET	443	49793	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.073124886 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.073203087 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.073260069 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.075751066 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.075757027 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.075769901 CET	49794	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.075773001 CET	443	49794	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.076663017 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.076683998 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.076728106 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.076751947 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.076781988 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.078738928 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.078787088 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.078849077 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.079816103 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.079839945 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.080866098 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.090647936 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.090665102 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.090771914 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.090796947 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.090802908 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.090821981 CET	49795	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.090830088 CET	443	49795	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.091475964 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.091490984 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.092641115 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.092653036 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.092945099 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.092961073 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.109651089 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.109692097 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.109944105 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.114999056 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.115030050 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.161475897 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.161513090 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.161725998 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.194159985 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.194180965 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.740878105 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.741038084 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.741921902 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.741986036 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.742516041 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.742536068 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.742957115 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.742985964 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.743598938 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.743608952 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.756124973 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.757356882 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.757388115 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.758245945 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.758253098 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.760857105 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.761651039 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.761672020 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.762145996 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.762151003 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.841219902 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.841506958 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.841566086 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.841641903 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.841685057 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.841711998 CET	49797	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.841727972 CET	443	49797	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.842008114 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.842278004 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.842338085 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.844115019 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.844115019 CET	49799	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.844134092 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.844155073 CET	443	49799	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.847278118 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.847317934 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.847839117 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.848649025 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.848684072 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.848757029 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.848968029 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.848982096 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.849252939 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.849266052 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.850565910 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.850977898 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.850994110 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.851361036 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.851366043 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856216908 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856270075 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856333971 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.856364012 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856448889 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856491089 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.856517076 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.856517076 CET	49798	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.856533051 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.856544018 CET	443	49798	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.858977079 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.859020948 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.859081030 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.859178066 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.859194040 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.861474037 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.861754894 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.861812115 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.861902952 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.861912012 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.861922026 CET	49800	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.861924887 CET	443	49800	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.863814116 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.863843918 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.863903999 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.864176989 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.864190102 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.952351093 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.952451944 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.952584982 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.952802896 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.952802896 CET	49801	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.952824116 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.952833891 CET	443	49801	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.959021091 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.959121943 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:26.959338903 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.959573984 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:26.959618092 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.500735044 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.501450062 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.501724005 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.501744986 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.502285957 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.502293110 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.502790928 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.502826929 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.503212929 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.503220081 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.515038967 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.515408039 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.515439987 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.515939951 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.515944958 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.544835091 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.545262098 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.545278072 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.545737982 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.545742989 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.600553989 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.600833893 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.600907087 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.601126909 CET	49804	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.601150990 CET	443	49804	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.601535082 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.602129936 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.602185011 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.603049040 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.603080034 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.603091955 CET	49803	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.603097916 CET	443	49803	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.607192993 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.607232094 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.607301950 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.607666016 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.607680082 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.609047890 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.609078884 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.609471083 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.610662937 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.610677958 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.617698908 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.617904902 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.617966890 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.618048906 CET	49802	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.618062973 CET	443	49802	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.620459080 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.620480061 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.620661974 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.620786905 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.620799065 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.635797977 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.636245012 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.636293888 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.636763096 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.636775970 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.649889946 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.650044918 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.650146008 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.650300026 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.650316954 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.650326014 CET	49805	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.650331020 CET	443	49805	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.653853893 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.653879881 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.653966904 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.654211998 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.654227018 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.740735054 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.741342068 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.741417885 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.741497993 CET	49806	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.741537094 CET	443	49806	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.745696068 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.745739937 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:27.745822906 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.746016979 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:27.746031046 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.372997999 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.373745918 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.381778002 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.382548094 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.392663002 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.392677069 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.393188000 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.393193007 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.393704891 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.393727064 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.394213915 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.394220114 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.394503117 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.394517899 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.394922972 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.394933939 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.395606041 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.395617962 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.396116018 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.396120071 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.409219980 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.409643888 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.409661055 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.410165071 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.410168886 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.489736080 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.489897013 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.490127087 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.490497112 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.490524054 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.490540981 CET	49809	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.490547895 CET	443	49809	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.494832039 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.494869947 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.494982004 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.495452881 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.495455027 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.495467901 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.495804071 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.495923042 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.495984077 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496026039 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496033907 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496056080 CET	49807	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496062040 CET	443	49807	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496371984 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496504068 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496587038 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496644974 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496665001 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496696949 CET	49810	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.496704102 CET	443	49810	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.496932030 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.497546911 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.497594118 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.497651100 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.499686003 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.499766111 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.499919891 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.500143051 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.500178099 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.500267982 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.500281096 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.500368118 CET	49808	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.500375986 CET	443	49808	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.504869938 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.504897118 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.504988909 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.505141020 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.505156994 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.506036043 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.506063938 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.506162882 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.506660938 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.506686926 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.530131102 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.530210018 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.530479908 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.530644894 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.530663967 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.530675888 CET	49811	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.530683994 CET	443	49811	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.540996075 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.541080952 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:28.541245937 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.541760921 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:28.541796923 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.144530058 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.145833969 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.145848989 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.145934105 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.146487951 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.146492958 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.149961948 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.150456905 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.150485039 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.150891066 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.150897026 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.152353048 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.152360916 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.152734041 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.152739048 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.163126945 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.163713932 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.163723946 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.164695024 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.164702892 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.192513943 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.220037937 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.220119953 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.220566988 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.220582008 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.246859074 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.246958017 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.247061014 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.247288942 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.247303963 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.247319937 CET	49812	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.247325897 CET	443	49812	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.248579979 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.248903990 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.248963118 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.249078035 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.249082088 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.249090910 CET	49814	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.249094009 CET	443	49814	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.252145052 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.252350092 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.252746105 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253248930 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253292084 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.253397942 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253421068 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253443003 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.253470898 CET	49813	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253485918 CET	443	49813	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.253832102 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.253845930 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.257509947 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.257545948 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.257621050 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.258234978 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.258249998 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.259064913 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.259077072 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.259208918 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.259501934 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.259511948 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264009953 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264180899 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264230013 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.264241934 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264288902 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264364004 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.264394045 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.264400005 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.264411926 CET	49815	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.264415979 CET	443	49815	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.266859055 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.266904116 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.266969919 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.267168999 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.267189026 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.319367886 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.319598913 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.319664001 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.319761038 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.319797039 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.319827080 CET	49816	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.319842100 CET	443	49816	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.323085070 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.323148012 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.323242903 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.323472977 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.323491096 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.948952913 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.949739933 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.949781895 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.950234890 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.950241089 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.965428114 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.966130972 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.966162920 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.966873884 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.966880083 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.976105928 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.976666927 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.976752996 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.977132082 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.977149010 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.989116907 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.989592075 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.989608049 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:29.990196943 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:29.990200996 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.007987976 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.008486986 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.008543968 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.008984089 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.008997917 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.070147991 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.070322990 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.070674896 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.079139948 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.079543114 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.079624891 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.079698086 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.079708099 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.080012083 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.080080032 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.080137014 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.095324993 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.095349073 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.095366955 CET	49817	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.095372915 CET	443	49817	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.097393990 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.097825050 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.097893953 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.099323034 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.099390984 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.099580050 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.099726915 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.099746943 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.099792957 CET	49820	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.099802971 CET	443	49820	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.100673914 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.100698948 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.101015091 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.101047993 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.101064920 CET	49818	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.101072073 CET	443	49818	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.103224039 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.103230000 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.103243113 CET	49819	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.103245974 CET	443	49819	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.106858969 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.106924057 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.107062101 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.107470989 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.107501030 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.108494043 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.108529091 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.108748913 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.109554052 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.109580040 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.109667063 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.109774113 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.109786034 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.109877110 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.109891891 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.112411022 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.112626076 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.112694979 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.112756014 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.112756014 CET	49821	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.112780094 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.112802029 CET	443	49821	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.115350008 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.115360975 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.115442991 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.115554094 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.115575075 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.744246960 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.745011091 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.745064020 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.745102882 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.745558977 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.745573044 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.745871067 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.745891094 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.746680021 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.746686935 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.751229048 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.751585960 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.751665115 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.752178907 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.752193928 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.772809982 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.773463011 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.773483038 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.774086952 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.774091005 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.790616989 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.798764944 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.798794985 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.799305916 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.799316883 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844185114 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844238997 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844322920 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844400883 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844423056 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844460011 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844531059 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844531059 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844630957 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844679117 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844712019 CET	49822	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844728947 CET	443	49822	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844837904 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844856024 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.844923973 CET	49824	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.844929934 CET	443	49824	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.848824024 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.848839998 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.849004030 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.849797964 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.849811077 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.850488901 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.850529909 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.850632906 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.850744963 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.850763083 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.853638887 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.853851080 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.853923082 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.854052067 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.854052067 CET	49823	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.854110003 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.854151964 CET	443	49823	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.856496096 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.856542110 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.856884003 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.857027054 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.857043982 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.878526926 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.879434109 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.879501104 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.879656076 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.879671097 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.879709005 CET	49826	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.879714966 CET	443	49826	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.882662058 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.882682085 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.882781982 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.882936954 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.882950068 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.903095961 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.903343916 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.903453112 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.903476954 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.903490067 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.903500080 CET	49825	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.903506041 CET	443	49825	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.907025099 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.907068968 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:30.907188892 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.907344103 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:30.907360077 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.429208994 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.430191040 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.430208921 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.431092978 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.431097984 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.432394981 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.434541941 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.434561014 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.436448097 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.436460972 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.523144960 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.523689032 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.523735046 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.523768902 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.524386883 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.524399996 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.524768114 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.524782896 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.525271893 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.525276899 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.529802084 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.530262947 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.530304909 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.530312061 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.530359983 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.530538082 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.530538082 CET	49827	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.530555964 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.530564070 CET	443	49827	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.534820080 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.534885883 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.534991026 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.535398006 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.535414934 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.535485983 CET	49828	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.535492897 CET	443	49828	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.536679983 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.536732912 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.536796093 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.537993908 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.538019896 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.539841890 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.539875984 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.539978981 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.540739059 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.540755033 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.559632063 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.560107946 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.560152054 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.560637951 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.560646057 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.624198914 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.624963045 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.625040054 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.625315905 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.625341892 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.625358105 CET	49829	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.625365973 CET	443	49829	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.626594067 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.626657963 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.626722097 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.627645969 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.627667904 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.627681971 CET	49830	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.627688885 CET	443	49830	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.630827904 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.630875111 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.630930901 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.631437063 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.631464005 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.637586117 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.637619019 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.637686014 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.638160944 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.638180971 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.664832115 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.664954901 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.668684006 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.671197891 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.671220064 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.671240091 CET	49831	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.671247005 CET	443	49831	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.684148073 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.684240103 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:31.684314966 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.684583902 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:31.684622049 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.262356997 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.264975071 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.268347025 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.288784027 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.320508003 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.320648909 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.326272964 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.359338999 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.359338999 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.464368105 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.464400053 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.465116024 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.465126038 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.465734959 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.465768099 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.466895103 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.466905117 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.468338966 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.468353987 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.468772888 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.468779087 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.566943884 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.567724943 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.567781925 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.568928957 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.569742918 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.569797039 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.586431980 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.586473942 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.587165117 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.587177992 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.587460041 CET	49835	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.587481022 CET	443	49835	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.588311911 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.588344097 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.589171886 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.589179993 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.600897074 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.601269960 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.601327896 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.601453066 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.601473093 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.601489067 CET	49834	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.601496935 CET	443	49834	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.690646887 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.690681934 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.690699100 CET	49833	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.690706015 CET	443	49833	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.693430901 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.693511009 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.693573952 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.693620920 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.693658113 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.693713903 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.694463015 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.694493055 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.694550991 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.694552898 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.695327997 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.695497990 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.695548058 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.695652008 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.777745962 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.777789116 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.779498100 CET	49836	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.779536009 CET	443	49836	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.782051086 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.782072067 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.782083988 CET	49832	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.782089949 CET	443	49832	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.794898987 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.794934988 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.795073032 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.795290947 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.795308113 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.796418905 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.796448946 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.796674967 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.800838947 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.800864935 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.800956964 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.801062107 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.801073074 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.801971912 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.801983118 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.804063082 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.804085970 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:32.804151058 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.804296017 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:32.804310083 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.417435884 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.418535948 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.418622971 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.419368982 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.419382095 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.437576056 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.438308001 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.438369989 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.439013958 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.439028978 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.460203886 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.460692883 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.460721970 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.461371899 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.461384058 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.471136093 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.471530914 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.471556902 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.472305059 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.472359896 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.474565983 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.474841118 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.474877119 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.475457907 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.475466967 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.518943071 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.519222021 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.519280910 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.531054974 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.531095028 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.531112909 CET	49837	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.531121969 CET	443	49837	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.536335945 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.536392927 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.536451101 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.546148062 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.546875954 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.546957016 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.550074100 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.550102949 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.550599098 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.550599098 CET	49838	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.550638914 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.550664902 CET	443	49838	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.554945946 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.555033922 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.555120945 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.555246115 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.555282116 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.562834024 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.562992096 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.563038111 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.563051939 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.563101053 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.563143015 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.566833019 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.566848040 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.566860914 CET	49840	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.566865921 CET	443	49840	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.570812941 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.570858002 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.570928097 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.571085930 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.571110964 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.579052925 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.579140902 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.579247952 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.579344988 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.579344988 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.580168962 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.580229044 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.580271006 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.580393076 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.580415010 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.580430984 CET	49841	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.580437899 CET	443	49841	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.586111069 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.586111069 CET	49839	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.586153030 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.586180925 CET	443	49839	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.592799902 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.592844009 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.592911959 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.594880104 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.594911098 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.596472025 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.596498013 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:33.596575975 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.596716881 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:33.596743107 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.207623959 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.211813927 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.218827963 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.218864918 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.218902111 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.219969034 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.219974995 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.220702887 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.220704079 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.220769882 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.220815897 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.221757889 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.221851110 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.221988916 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.222002029 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.252804995 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.253290892 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.253330946 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.253772974 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.253784895 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.261154890 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.261656046 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.261687040 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.262064934 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.262073040 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.316745043 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.318923950 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.318983078 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.319051981 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.319830894 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.319991112 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.320177078 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.320290089 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.320385933 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.320429087 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.320467949 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.320741892 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.320749044 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.320769072 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.320794106 CET	49843	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.320801973 CET	443	49843	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.322395086 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.322395086 CET	49844	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.322432041 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.322457075 CET	443	49844	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.323714018 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.323745966 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.323784113 CET	49845	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.323798895 CET	443	49845	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.326767921 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.326798916 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.326884031 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.328473091 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.328485966 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.328494072 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.328526020 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.328648090 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.328881979 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.328898907 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.330624104 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.330634117 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.331202030 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.333901882 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.333910942 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.351712942 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.351928949 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.352010965 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.355361938 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.355361938 CET	49846	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.355380058 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.355401993 CET	443	49846	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.359349012 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.359364033 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.359663010 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.359832048 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.359847069 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.363917112 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.364048004 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.367023945 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.367086887 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.367086887 CET	49847	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.367105007 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.367125988 CET	443	49847	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.371239901 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.371279955 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.371432066 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.371542931 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.371556044 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.901782990 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.947204113 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.947227001 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.947503090 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.947516918 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.967084885 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.968044043 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.968044996 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.968067884 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.968084097 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.971247911 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.975471973 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.975480080 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:34.975773096 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:34.975776911 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.002242088 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.006217957 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.044711113 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.045547962 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.045614958 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.046062946 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.068500996 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.068628073 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.069137096 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.069782972 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.069806099 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.070447922 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.070463896 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.070483923 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.070489883 CET	49848	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.070489883 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.070496082 CET	443	49848	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.071897984 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.071897984 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.071922064 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.071940899 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.071971893 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.072062016 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.072208881 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.072208881 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.072225094 CET	49850	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.072228909 CET	443	49850	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.077825069 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.077826023 CET	49849	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.077850103 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.077860117 CET	443	49849	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.166595936 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.166717052 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.166843891 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.166865110 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.166917086 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.166959047 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.167222023 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.167367935 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.471913099 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.471944094 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.471957922 CET	49851	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.471963882 CET	443	49851	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.472275019 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.472275019 CET	49852	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.472321033 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.472332954 CET	443	49852	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.644412994 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.644449949 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.644520998 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.684429884 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.684458017 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.686266899 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.686331034 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.686388016 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.686609983 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.686624050 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.686979055 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.687011003 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.687061071 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.724375010 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.724431038 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.724509001 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.724632025 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.724646091 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.725549936 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.725591898 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.725641966 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.725771904 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.725797892 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:35.726583958 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:35.726597071 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.347245932 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.347824097 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.347853899 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.348388910 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.348397017 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.362020969 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.362925053 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.362955093 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.363394022 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.363401890 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.366477966 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.368467093 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.368494987 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.368891001 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.368900061 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.372975111 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.373291969 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.373311996 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.373351097 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.373915911 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.373927116 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.409625053 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.409656048 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.410460949 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.410471916 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.458674908 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.458767891 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.458844900 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.459117889 CET	49853	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.459139109 CET	443	49853	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.461996078 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.462023020 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.462069988 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.462110043 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.462141991 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.462753057 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.462775946 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.462790966 CET	49857	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.462798119 CET	443	49857	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.465719938 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.465823889 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.465883970 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.467140913 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.467175961 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.467590094 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.468367100 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.468410015 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.468477964 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.469471931 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.469490051 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.469505072 CET	49855	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.469511032 CET	443	49855	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.469923973 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.469942093 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.470084906 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.470101118 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.472641945 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.472671986 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.472731113 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.472882032 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.472898006 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.474335909 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.474698067 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.474740982 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.474754095 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.474797964 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.474942923 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.474952936 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.474986076 CET	49856	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.474991083 CET	443	49856	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.477972031 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.478003979 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.478102922 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.478338003 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.478349924 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.512219906 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.512545109 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.512610912 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.513510942 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.513537884 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.513561964 CET	49854	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.513570070 CET	443	49854	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.519686937 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.519733906 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:36.519792080 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.520225048 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:36.520241022 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.121653080 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.122164011 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.122186899 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.122663021 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.122668028 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.124111891 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.124782085 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.124802113 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.125339985 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.125349998 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.129221916 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.129606009 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.129645109 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.130280972 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.130287886 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.142556906 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.143323898 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.143345118 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.143862009 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.143867970 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.197814941 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.198364973 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.198379993 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.198837042 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.198842049 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.221822023 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.222249985 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.222311020 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.222337961 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.222352982 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.222378969 CET	49858	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.222384930 CET	443	49858	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.225159883 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.225207090 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.225353956 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.225553989 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.225569010 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.227158070 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.227915049 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.227977037 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.229892969 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.229903936 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.229914904 CET	49860	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.229919910 CET	443	49860	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.232358932 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.232456923 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.232537985 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.232717991 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.232765913 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.234791994 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.235021114 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.235105038 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.235160112 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.235179901 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.235193968 CET	49859	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.235203028 CET	443	49859	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.237193108 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.237279892 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.237720013 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.237823009 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.237852097 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.246140957 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.248430014 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.248498917 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.248732090 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.248740911 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.248750925 CET	49861	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.248755932 CET	443	49861	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.251077890 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.251133919 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.251259089 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.251749992 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.251790047 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.302752018 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.303035021 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.303103924 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.303148985 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.303169012 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.303185940 CET	49862	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.303191900 CET	443	49862	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.306231022 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.306263924 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.306469917 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.306632042 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.306647062 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.876185894 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.880923986 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.880959988 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.881400108 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.881407022 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.881865978 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.882205009 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.882230043 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.882632971 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.882638931 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.888930082 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.889343977 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.889386892 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.889719963 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.889736891 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.924200058 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.924714088 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.924758911 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.925179005 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.925184965 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.972884893 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.978957891 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.979418993 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.979449987 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.979907036 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.979919910 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.982615948 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.982702017 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.982733965 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.982752085 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.982791901 CET	49864	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.982799053 CET	443	49864	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.984934092 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.985007048 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.985503912 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.985527992 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.985549927 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.985646963 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.985666037 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.985682011 CET	49863	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.985687971 CET	443	49863	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.985719919 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.986905098 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.986920118 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.988074064 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.988168001 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.988630056 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.988955021 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.988989115 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.992247105 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.992394924 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.992470980 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.992549896 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.992602110 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.992602110 CET	49865	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.992633104 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.992657900 CET	443	49865	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.994899035 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.994913101 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:37.995167971 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.995266914 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:37.995277882 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.030374050 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.030477047 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.030570984 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.030827999 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.030839920 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.030852079 CET	49866	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.030858040 CET	443	49866	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.033390999 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.033483028 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.033576965 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.033802986 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.033837080 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.080281019 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.080621958 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.080687046 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.081135035 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.081135035 CET	49867	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.081156969 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.081177950 CET	443	49867	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.083781958 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.083828926 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.083926916 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.084261894 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.084290028 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.638382912 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.639168978 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.639204025 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.640106916 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.640117884 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.664402962 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.666347980 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.666382074 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.666963100 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.666974068 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.669226885 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.669615030 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.669653893 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.670015097 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.670022964 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.736581087 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.737181902 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.737267971 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.737684011 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.737699986 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.746063948 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.746094942 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.746139050 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.746141911 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.746184111 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.746380091 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.746400118 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.746412992 CET	49870	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.746418953 CET	443	49870	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.750025988 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.750119925 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.750196934 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.750752926 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.750796080 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.772269964 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.772341013 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.772406101 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.772442102 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.772504091 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.772548914 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.772593975 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.772623062 CET	49871	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.772639990 CET	443	49871	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.776781082 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.776843071 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.776910067 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.777086020 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.777113914 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.783260107 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.783360958 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.783412933 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.783685923 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.783706903 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.783720016 CET	49868	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.783726931 CET	443	49868	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.829957008 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.830003023 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.830073118 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.830343962 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.830362082 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.840727091 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.840981007 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.841063023 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.841108084 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.841108084 CET	49872	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.841130018 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.841140985 CET	443	49872	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.844132900 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.844165087 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:38.844214916 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.844605923 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:38.844638109 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.386054993 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.386965990 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.387007952 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.387505054 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.387514114 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.441688061 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.442364931 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.442393064 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.443162918 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.443171024 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.489106894 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.489375114 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.489500999 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.489547968 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.489619970 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.497363091 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.497396946 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.497821093 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.497834921 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.498382092 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.498382092 CET	49873	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.498420000 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.498446941 CET	443	49873	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.501737118 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.501787901 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.501868010 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.502074003 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.502115011 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.520567894 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.521164894 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.521239996 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.521639109 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.521652937 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.546889067 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.546993017 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.547092915 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.547466040 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.547508001 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.547538042 CET	49874	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.547554016 CET	443	49874	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.550343990 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.550384045 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.550465107 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.550616980 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.550631046 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.594376087 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.594429016 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.594511986 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.594542027 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.594671011 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.594733953 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.595340967 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.595340967 CET	49875	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.595366955 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.595391035 CET	443	49875	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.600419044 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.600517988 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.600600004 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.600739002 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.600776911 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.627430916 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.627557039 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.627609968 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.627636909 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.627665997 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.627840042 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.627860069 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.627892971 CET	49876	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.627897978 CET	443	49876	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.629921913 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.629967928 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:39.630033970 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.630140066 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:39.630155087 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.000097990 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.001403093 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.001455069 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.001899958 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.001914024 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.110599995 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.110622883 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.110703945 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.110712051 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.110785007 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.112725019 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.112725019 CET	49869	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.112771988 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.112799883 CET	443	49869	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.115758896 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.115820885 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.115931034 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.116091967 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.116111040 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.178287983 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.183928013 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.184014082 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.184391975 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.184406996 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.198941946 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.201329947 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.201358080 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.201783895 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.201793909 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.276204109 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.276851892 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.276881933 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.277312994 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.277319908 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.281830072 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.282150984 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.282211065 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.282485008 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.282497883 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.284557104 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.284904957 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.284951925 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.284961939 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.285011053 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.285058975 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.285059929 CET	49877	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.285094023 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.285116911 CET	443	49877	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.287709951 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.287755013 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.287827969 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.288077116 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.288091898 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.298607111 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.298757076 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.298815012 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.298849106 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.298866987 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.298878908 CET	49878	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.298883915 CET	443	49878	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.301044941 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.301081896 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.301136017 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.301229954 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.301244974 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.376636028 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.376796961 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.376859903 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.377055883 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.377082109 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.377098083 CET	49880	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.377103090 CET	443	49880	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.381611109 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.381656885 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.381714106 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.382442951 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.382457018 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.388715982 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.388812065 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.388860941 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.389086008 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.389110088 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.389126062 CET	49879	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.389134884 CET	443	49879	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.392623901 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.392652035 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.392702103 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.393687963 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.393702030 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.780682087 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.783432961 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.783452034 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.784070969 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.784076929 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.886992931 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.887026072 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.887070894 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.887151003 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.887202978 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.888151884 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.888174057 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.888185024 CET	49881	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.888190985 CET	443	49881	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.891917944 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.891968966 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.892038107 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.892359018 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.892369986 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.936538935 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.937273979 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.937303066 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.937824965 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.937829971 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.967180967 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.967721939 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.967745066 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:40.968174934 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:40.968182087 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.032300949 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.032883883 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.032912970 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.033390045 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.033396959 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.049062967 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.049356937 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.049417019 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.049978018 CET	49882	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.049992085 CET	443	49882	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.053522110 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.053564072 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.053641081 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.053757906 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.053772926 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.056691885 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.056992054 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.057001114 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.057421923 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.057425022 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.074634075 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.074918985 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.074961901 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.074984074 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.075140953 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.075140953 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.075140953 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.077450037 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.077497959 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.077567101 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.077687025 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.077702999 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.133825064 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.133982897 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.134165049 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.134246111 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.134272099 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.134285927 CET	49884	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.134294033 CET	443	49884	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.137188911 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.137237072 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.137327909 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.137459993 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.137479067 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.218280077 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.218322039 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.218385935 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.218388081 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.218444109 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.218786955 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.218808889 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.218818903 CET	49885	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.218826056 CET	443	49885	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.222073078 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.222119093 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.222222090 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.222362995 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.222378016 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.544466019 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.550383091 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.550415039 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.550888062 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.550894022 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.562486887 CET	49883	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.562521935 CET	443	49883	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.687009096 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.687258959 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.687441111 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.687835932 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.687860966 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.687876940 CET	49886	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.687885046 CET	443	49886	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.691551924 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.691606998 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.691690922 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.692003965 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.692015886 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.696213961 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.699340105 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.699368954 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.699866056 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.699872971 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.729510069 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.731302023 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.731332064 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.731750965 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.731756926 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.795886040 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.796196938 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.796334028 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.796597958 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.796618938 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.796631098 CET	49887	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.796637058 CET	443	49887	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.801815987 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.802054882 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.802103043 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.802397013 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.802423954 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.802437067 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.802840948 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.802848101 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.802966118 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.802988052 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.830936909 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.831432104 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.835011959 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.835042953 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.835063934 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.835077047 CET	49888	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.835082054 CET	443	49888	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.837883949 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.837996006 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.839284897 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.839417934 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.839456081 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.885150909 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.907223940 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.907527924 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.907877922 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.913477898 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.913496971 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.913983107 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.913990021 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.915462017 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.915488958 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.915563107 CET	49889	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.915570021 CET	443	49889	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.926740885 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.926780939 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:41.926891088 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.927061081 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:41.927074909 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.013844967 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.014080048 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.014134884 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.014424086 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.014447927 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.014458895 CET	49890	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.014465094 CET	443	49890	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.021975994 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.022051096 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.022180080 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.022537947 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.022563934 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.334378958 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.334995985 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.335074902 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.335566998 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.335582018 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.434528112 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.435252905 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.435278893 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.435772896 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.435777903 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.439327002 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.439369917 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.439416885 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.439434052 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.439501047 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.439678907 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.439727068 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.439755917 CET	49891	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.439771891 CET	443	49891	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.443290949 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.443345070 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.443414927 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.443545103 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.443562031 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.474945068 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.475460052 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.475545883 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.475903988 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.475918055 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.534780979 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.534862041 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.534919024 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.535240889 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.535257101 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.535296917 CET	49892	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.535301924 CET	443	49892	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.538526058 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.538562059 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.538635969 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.538762093 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.538777113 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.574345112 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.574803114 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.574846983 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.574883938 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.574951887 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.594290972 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.594312906 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.594324112 CET	49893	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.594330072 CET	443	49893	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.597461939 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.597513914 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.597584009 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.597747087 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.597763062 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.598615885 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.598962069 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.598989010 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.599440098 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.599450111 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.657130957 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.657635927 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.657659054 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.658102989 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.658107996 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.702065945 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.702299118 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.702492952 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.702912092 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.702949047 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.702999115 CET	49894	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.703021049 CET	443	49894	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.707633972 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.707684994 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.707746983 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.707896948 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.707910061 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.757066965 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.757105112 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.757150888 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.757245064 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.757424116 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.757424116 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.758970976 CET	49895	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.759011984 CET	443	49895	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.760143995 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.760180950 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:42.760256052 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.760626078 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:42.760636091 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.004816055 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.007555962 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.007586956 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.008024931 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.008034945 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.107768059 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.108052015 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.108155966 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.108155966 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.109316111 CET	49896	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.109332085 CET	443	49896	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.111665964 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.111696959 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.111752033 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.111943007 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.111958027 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.178890944 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.181955099 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.181972027 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.182446003 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.182451010 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.259488106 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.278862000 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.278894901 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.279345989 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.279355049 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.284603119 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.284645081 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.284689903 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.284701109 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.284744024 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.284837961 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.284862995 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.284878016 CET	49897	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.284884930 CET	443	49897	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.287708998 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.287753105 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.287822008 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.287962914 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.287972927 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.378067017 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.378950119 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.378978968 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.379945993 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.379951000 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.383076906 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.383141041 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.383197069 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.383389950 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.383409977 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.383423090 CET	49898	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.383429050 CET	443	49898	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.388081074 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.388120890 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.388179064 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.388417959 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.388436079 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.396287918 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.396855116 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.396882057 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.397310019 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.397315979 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.481559992 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.481618881 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.481699944 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.481717110 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.481827974 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.481883049 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.482017040 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.482033968 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.482043028 CET	49899	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.482049942 CET	443	49899	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.485095978 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.485124111 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.485188007 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.485328913 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.485337973 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.495997906 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.496032000 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.496088028 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.496119976 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.496362925 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.496416092 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.496416092 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.496439934 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.496454000 CET	49900	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.496459961 CET	443	49900	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.498944044 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.498996973 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.499068975 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.499191999 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.499205112 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.775110960 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.775710106 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.775731087 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.776223898 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.776233912 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.876105070 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.876163006 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.876250982 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.876276016 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.876332998 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.883534908 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.883554935 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.883567095 CET	49901	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.883573055 CET	443	49901	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.886600018 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.886653900 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.886730909 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.886876106 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.886890888 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.926793098 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.927499056 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.927520037 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:43.928016901 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:43.928021908 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.026242018 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.026612043 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.026684046 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.028239012 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.028261900 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.028276920 CET	49902	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.028283119 CET	443	49902	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.031176090 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.031223059 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.031301022 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.031543016 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.031553984 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.038898945 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.039525032 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.039546967 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.040033102 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.040039062 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.133003950 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.133718014 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.133747101 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.134241104 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.134248972 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.137156010 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.137811899 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.137831926 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.138312101 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.138317108 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.184099913 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.184129953 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.184174061 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.184251070 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.184288025 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.184500933 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.184525013 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.184536934 CET	49903	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.184542894 CET	443	49903	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.187764883 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.187788963 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.187875986 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.188153028 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.188168049 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.232307911 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.232398987 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.232450962 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.232544899 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.232595921 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.232901096 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.232923031 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.232935905 CET	49905	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.232942104 CET	443	49905	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.236109972 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.236160040 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.236231089 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.236407042 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.236417055 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.240819931 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.240963936 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.241008997 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.241061926 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.241080999 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.241092920 CET	49904	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.241099119 CET	443	49904	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.243274927 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.243319988 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.243391991 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.243506908 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.243520021 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.574112892 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.574820995 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.574845076 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.575301886 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.575306892 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.680098057 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.680171013 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.680335999 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.680538893 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.680557966 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.680571079 CET	49906	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.680577040 CET	443	49906	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.683758974 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.683805943 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.683881998 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.684043884 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.684055090 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.695307970 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.695854902 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.695890903 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.696356058 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.696363926 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.798183918 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.798367977 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.798429966 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.798528910 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.798528910 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.798624992 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.798645020 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.798660994 CET	49907	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.798666954 CET	443	49907	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.801790953 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.801839113 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.801906109 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.802052975 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.802063942 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.841690063 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.842442036 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.842475891 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.842812061 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.842818022 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.875977039 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.876328945 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.876674891 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.876696110 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.877036095 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.877042055 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.877552986 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.877582073 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.877934933 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.877939939 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.942564964 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.942753077 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.942801952 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.943943024 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.943963051 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.943974018 CET	49908	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.943979979 CET	443	49908	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.951956987 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.952001095 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.952054024 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.952343941 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.952352047 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.976742983 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.977098942 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.977152109 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.977601051 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.977834940 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.977880001 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.977885962 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.977931023 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.997302055 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.997337103 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:44.997351885 CET	49910	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:44.997359037 CET	443	49910	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.000816107 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.000835896 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.000849009 CET	49909	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.000854969 CET	443	49909	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.005422115 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.005464077 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.005521059 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.006607056 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.006644964 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.006710052 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.006802082 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.006814003 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.006911039 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.006922960 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.334429979 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.342616081 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.342636108 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.343374014 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.343379021 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.442761898 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.442836046 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.442887068 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.443108082 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.443121910 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.443133116 CET	49911	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.443140030 CET	443	49911	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.446038008 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.446084976 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.446172953 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.446310043 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.446331024 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.483362913 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.484065056 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.484086037 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.484704971 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.484709978 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.594472885 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.594532013 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.594584942 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.594624996 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.594651937 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.594872952 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.594891071 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.594903946 CET	49912	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.594911098 CET	443	49912	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.597857952 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.597903967 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.597979069 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.598124027 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.598136902 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.620937109 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.621543884 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.621570110 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.622039080 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.622042894 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.647293091 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.647876024 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.647896051 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.648367882 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.648372889 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.652570009 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.652838945 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.652858019 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.653176069 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.653182030 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.724455118 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.724945068 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.725045919 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.725090027 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.725111961 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.725126028 CET	49913	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.725131035 CET	443	49913	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.728105068 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.728166103 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.728374004 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.728548050 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.728564978 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.753894091 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.753978968 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.754062891 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.754092932 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.754117966 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.754184008 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.754319906 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.754333973 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.754344940 CET	49915	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.754349947 CET	443	49915	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.757178068 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.757221937 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.757304907 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.757441998 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.757457972 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.758754969 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.758821011 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.758912086 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.758948088 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.758968115 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.758981943 CET	49914	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.758986950 CET	443	49914	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.760786057 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.760821104 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:45.760888100 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.761003017 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:45.761018991 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.091012955 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.094820976 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.094839096 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.095441103 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.095448971 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.197865963 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.197973967 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.198030949 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.198554039 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.198554039 CET	49916	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.198574066 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.198581934 CET	443	49916	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.201966047 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.202014923 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.202080965 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.202393055 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.202404022 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.240710974 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.241291046 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.241314888 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.241908073 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.241914034 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.346309900 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.346508026 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.346553087 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.346555948 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.346616030 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.379076958 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.379097939 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.379113913 CET	49917	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.379128933 CET	443	49917	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.385696888 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.385744095 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.385791063 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.386221886 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.386245966 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.397445917 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.397916079 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.397942066 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.398655891 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.398662090 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.415141106 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.415697098 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.415730953 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.416266918 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.416275024 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.417936087 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.418492079 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.418502092 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.419123888 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.419128895 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.501121044 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.501353025 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.501512051 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.501512051 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.501512051 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.504704952 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.504748106 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.504862070 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.505091906 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.505106926 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.519898891 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.519927979 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.519977093 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.520014048 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.520076990 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.520217896 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.520236969 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.520248890 CET	49920	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.520256996 CET	443	49920	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.521271944 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.521404982 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.521449089 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.521838903 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.521848917 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.521867037 CET	49919	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.521872997 CET	443	49919	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.524657965 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.524702072 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.524764061 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.524893999 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.524909973 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.525964022 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.525996923 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.526048899 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.526315928 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.526326895 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:46.625225067 CET	49700	80	192.168.2.6	104.18.20.226
Nov 20, 2024 11:16:46.625232935 CET	49701	80	192.168.2.6	104.18.21.226
Nov 20, 2024 11:16:46.625296116 CET	49702	80	192.168.2.6	104.18.21.226
Nov 20, 2024 11:16:46.853209972 CET	80	49700	104.18.20.226	192.168.2.6
Nov 20, 2024 11:16:46.853228092 CET	80	49701	104.18.21.226	192.168.2.6
Nov 20, 2024 11:16:46.853238106 CET	80	49702	104.18.21.226	192.168.2.6
Nov 20, 2024 11:16:46.853355885 CET	49700	80	192.168.2.6	104.18.20.226
Nov 20, 2024 11:16:46.853364944 CET	49701	80	192.168.2.6	104.18.21.226
Nov 20, 2024 11:16:46.853378057 CET	49702	80	192.168.2.6	104.18.21.226
Nov 20, 2024 11:16:46.906279087 CET	49918	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:46.906303883 CET	443	49918	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.041800976 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.064541101 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.064562082 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.065162897 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.065167904 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.067261934 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.068259954 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.068289995 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.068802118 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.068810940 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.153925896 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.162003040 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.162079096 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.162139893 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.172436953 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.172646999 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.172672987 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.172703028 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.172754049 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.172765970 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.173224926 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.173230886 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.173374891 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.173477888 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.173504114 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.173827887 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.173839092 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.174016953 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.174036980 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.174365044 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.174371004 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.174760103 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.174777985 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.174791098 CET	49921	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.174796104 CET	443	49921	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.177649975 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.177685976 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.177779913 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.177885056 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.177900076 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.187959909 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.187959909 CET	49922	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.187987089 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.187999010 CET	443	49922	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.273420095 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.273657084 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.273744106 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.273771048 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.273883104 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.273973942 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.274873972 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.275068998 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.275120020 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.275154114 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.275278091 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.275327921 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.279077053 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.279247999 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.279309988 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.312906027 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.312944889 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.312962055 CET	49923	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.312968969 CET	443	49923	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.312994003 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.313024044 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.313047886 CET	49925	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.313055038 CET	443	49925	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.313666105 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.313690901 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.313700914 CET	49924	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.313707113 CET	443	49924	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.357019901 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.357070923 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.357130051 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.426400900 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.426446915 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.426503897 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.426763058 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.426790953 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.445605040 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.445647001 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.445708036 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.445955992 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.445966959 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.447240114 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.447268009 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.447325945 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.447403908 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.447417021 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.448445082 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.448462009 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.809551954 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.810177088 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.810195923 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.810689926 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.810694933 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.909832001 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.909879923 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.910017014 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.910451889 CET	49926	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.910470009 CET	443	49926	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.914575100 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.914690971 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:47.914788961 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.914931059 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:47.914959908 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.068783045 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.069377899 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.069407940 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.069855928 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.069861889 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.097142935 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.104959965 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.104988098 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.105510950 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.105524063 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.115343094 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.115715027 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.115732908 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.116099119 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.116105080 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.174010992 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.174416065 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.174504042 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.174546957 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.174546957 CET	49927	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.174566984 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.174577951 CET	443	49927	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.177462101 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.177517891 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.177664995 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.177766085 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.177779913 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.204035997 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.204063892 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.204107046 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.204153061 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.204215050 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.204341888 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.204386950 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.204415083 CET	49929	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.204431057 CET	443	49929	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.207034111 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.207070112 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.207267046 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.207442999 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.207454920 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.222094059 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.222218990 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.222284079 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.222328901 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.222343922 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.222357988 CET	49930	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.222362995 CET	443	49930	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.229362011 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.229387045 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.229477882 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.230166912 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.230178118 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.577316999 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.577842951 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.577909946 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.578391075 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.578404903 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.684156895 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.684709072 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.684767008 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.684798956 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.684825897 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.684880018 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.684901953 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.684915066 CET	49931	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.684920073 CET	443	49931	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.688193083 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.688230991 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.688306093 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.688951969 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.688961983 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.905009031 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.907072067 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.907088041 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.907537937 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.907546043 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.910444975 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.910758972 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.910768032 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.911139965 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.911153078 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.911695957 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.911932945 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.911956072 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:48.912288904 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:48.912295103 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.005215883 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.006094933 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.006198883 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.006225109 CET	49934	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.006244898 CET	443	49934	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.008678913 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.008848906 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.008985043 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009273052 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009345055 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009352922 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.009363890 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.009371996 CET	49932	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009378910 CET	443	49932	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.009443045 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009604931 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.009664059 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.011464119 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.011501074 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.011570930 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.011691093 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.011703968 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.014914036 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.014997005 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.015049934 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.015064001 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.015103102 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.015151978 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.015166998 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.015181065 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.015193939 CET	49933	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.015197992 CET	443	49933	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.019865036 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.019898891 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.019969940 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.020070076 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.020096064 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.555507898 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.556133986 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.556164980 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.556622982 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.556627035 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.653387070 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.654051065 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.654076099 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.654527903 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.654531956 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.660259962 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.660594940 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.660629034 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.660964012 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.660972118 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.664027929 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.664294004 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.664307117 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.664633036 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.664637089 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.665349960 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.665409088 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.665513039 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.669455051 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.669455051 CET	49935	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.669472933 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.669481993 CET	443	49935	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.678724051 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.678764105 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.678823948 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.679136992 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.679146051 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.752624035 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.752896070 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.752932072 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.752965927 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.753000021 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.753051043 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.753068924 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.753082037 CET	49937	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.753087044 CET	443	49937	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.755963087 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.755989075 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.756067038 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.756222010 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.756231070 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.762150049 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.762231112 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.762284994 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.762491941 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.762506008 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.762530088 CET	49938	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.762536049 CET	443	49938	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.765347004 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.765389919 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.765482903 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.765758991 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.765775919 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.775513887 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.775849104 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.775950909 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.775950909 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.775974989 CET	49936	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.775983095 CET	443	49936	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.778167963 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.778199911 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:49.778353930 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.778476954 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:49.778491974 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.351413965 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.409662962 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.410017014 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.422137022 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.437212944 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.602062941 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.602088928 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.603086948 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.603091955 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.603697062 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.603720903 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.607134104 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.607141018 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.607409954 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.607418060 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.607796907 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.607800961 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.608072996 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.608100891 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.620431900 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.620460033 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.701374054 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.701540947 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.701598883 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.705972910 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.706053972 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.706101894 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.709907055 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.710200071 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.710258961 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.720685005 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.720839024 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.721224070 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.738791943 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.738812923 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.738830090 CET	49942	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.738836050 CET	443	49942	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.741122007 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.741122007 CET	49941	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.741156101 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.741168022 CET	443	49941	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.749641895 CET	49939	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.749659061 CET	443	49939	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.751506090 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.751522064 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.751533031 CET	49940	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.751537085 CET	443	49940	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.855262041 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.855320930 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.855431080 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.858385086 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.858432055 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.858484030 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.858997107 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.859019041 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.889591932 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.889617920 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.893058062 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.893125057 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.893184900 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.893331051 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.893348932 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.913372040 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.913484097 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:50.913573027 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.914648056 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:50.914684057 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.091376066 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.091989040 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.092020035 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.092439890 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.092446089 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.216090918 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.216170073 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.216253996 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.231767893 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.231800079 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.231832981 CET	49928	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.231842041 CET	443	49928	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.234972000 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.235028028 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.235100985 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.261219978 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.261281013 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.506340027 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.506921053 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.506958008 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.507467031 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.507472038 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.547498941 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.549721003 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.549747944 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.550165892 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.550172091 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.556469917 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.556972027 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.557033062 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.557368040 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.557380915 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.557739019 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.560379982 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.560408115 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.560754061 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.560765982 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.607259035 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.607455969 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.607511997 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.614773035 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.614811897 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.614830971 CET	49943	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.614839077 CET	443	49943	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.618367910 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.618405104 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.618504047 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.618675947 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.618690014 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.654126883 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.654303074 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.654402018 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.654433012 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.654463053 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.654493093 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.654519081 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.654530048 CET	49945	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.654537916 CET	443	49945	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.658448935 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.658854961 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.658925056 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.659137964 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.659138918 CET	49946	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.659179926 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.659207106 CET	443	49946	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.662503958 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.662544012 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.662596941 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.663038969 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.663136005 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.663151026 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.663774014 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.664223909 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.664238930 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.664257050 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.664300919 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.664433956 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.664441109 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.670329094 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.670347929 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.670371056 CET	49944	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.670384884 CET	443	49944	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.673255920 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.673274994 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.673326969 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.673573971 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.673585892 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.907082081 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.918061972 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.918093920 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:51.918575048 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:51.918581009 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.014178991 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.014597893 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.014719009 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.014725924 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.014771938 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.014972925 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.014995098 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.015007019 CET	49947	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.015012026 CET	443	49947	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.018472910 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.018574953 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.018711090 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.019218922 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.019264936 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.268356085 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.276689053 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.276706934 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.277174950 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.277180910 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.320755959 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.321301937 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.321326017 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.321795940 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.321803093 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.326472998 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.326824903 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.326858044 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.327224016 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.327234983 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.341461897 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.341851950 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.341893911 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.342226028 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.342243910 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.377419949 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.377516031 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.377605915 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.377904892 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.377923012 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.377933979 CET	49948	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.377938986 CET	443	49948	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.380798101 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.380842924 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.380909920 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.381092072 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.381104946 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.422972918 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.423130989 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.423177004 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.423553944 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.423572063 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.423584938 CET	49950	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.423590899 CET	443	49950	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.428267002 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.428302050 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.428358078 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.428721905 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.428806067 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.428822041 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.428854942 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.428899050 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.429023981 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.429042101 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.429054976 CET	49951	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.429060936 CET	443	49951	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.432293892 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.432308912 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.432359934 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.432531118 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.432543039 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.450278044 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.450347900 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.450397015 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.450412989 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.450462103 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.450508118 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.474597931 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.474627972 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.474642038 CET	49949	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.474648952 CET	443	49949	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.522608995 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.522663116 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.522768974 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.522924900 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.522934914 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.672365904 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.672960997 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.672996998 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.673501015 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.673506975 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.774524927 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.774775982 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.774866104 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.774947882 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.774964094 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.774974108 CET	49952	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.774979115 CET	443	49952	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.778091908 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.778142929 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:52.778211117 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.778358936 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:52.778366089 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.032486916 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.055787086 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.055819035 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.056277990 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.056286097 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.065157890 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.065587044 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.065612078 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.066011906 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.066016912 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.080415964 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.080786943 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.080817938 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.081171036 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.081182003 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.154782057 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.154851913 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.154962063 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.154964924 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.155014992 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.174290895 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.174458027 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.174520016 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.185480118 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.185549021 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.185597897 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.192897081 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.204484940 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.204526901 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.209270000 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.209284067 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.209465981 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.209502935 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.209527016 CET	49953	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.209533930 CET	443	49953	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.217092037 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.217129946 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.217145920 CET	49954	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.217154026 CET	443	49954	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.225100994 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.225121021 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.225148916 CET	49955	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.225152969 CET	443	49955	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.309705973 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.309742928 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.309809923 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.309827089 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.310050964 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.310091019 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.421034098 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.489310980 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.489345074 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.489403963 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.493699074 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.493710041 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.493741035 CET	49956	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.493745089 CET	443	49956	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.501408100 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.599687099 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.599699020 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.600258112 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.600263119 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.601392984 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.601421118 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.604698896 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.604727030 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.604784966 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.605133057 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.605144978 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.606184959 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.606224060 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.606273890 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.606479883 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.606491089 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.697901964 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.697998047 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.698050022 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.740885019 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.740912914 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.740926027 CET	49957	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.740932941 CET	443	49957	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.750688076 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.750739098 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.750803947 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.752336979 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.752353907 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.755001068 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.755037069 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:53.755116940 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.755352974 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:53.755363941 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.247344017 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.249485970 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.249506950 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.250099897 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.250106096 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.269793987 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.271111012 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.271627903 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.271661043 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.271744967 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.271761894 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.272068024 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.272073030 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.272170067 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.272175074 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.352843046 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.352884054 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.352950096 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.352966070 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.352988005 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.353039026 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.353260994 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.353277922 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.353287935 CET	49959	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.353292942 CET	443	49959	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.356507063 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.356549978 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.356622934 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.356764078 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.356775045 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.378767014 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.378823042 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.378899097 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.378911018 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.378957033 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.379034042 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.379300117 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.379316092 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.379329920 CET	49958	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.379333973 CET	443	49958	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.380520105 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.380547047 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.380620003 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.380636930 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.380765915 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.380887032 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.381062031 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.381074905 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.381083965 CET	49960	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.381089926 CET	443	49960	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.383837938 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.383865118 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.384021997 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.384273052 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.384284973 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.388138056 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.388179064 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.388247967 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.388456106 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.388473988 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.392666101 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.393047094 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.393064976 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.393506050 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.393511057 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.411459923 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.411818981 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.411835909 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.412219048 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.412224054 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.494374037 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.494401932 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.494452953 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.494462967 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.494573116 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.494642019 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.513307095 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.513401031 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.513465881 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.518326044 CET	49961	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.518342018 CET	443	49961	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.520060062 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.520077944 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.520091057 CET	49962	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.520097017 CET	443	49962	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.524871111 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.524908066 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.525027037 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.525675058 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.525717974 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.525783062 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.526043892 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.526053905 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:54.526130915 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:54.526141882 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.005274057 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.030710936 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.030731916 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.031198978 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.031204939 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.048960924 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.049307108 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.049326897 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.049721956 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.049729109 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.088649035 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.093172073 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.093188047 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.093671083 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.093676090 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.130721092 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.130779982 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.130892992 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.131078959 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.131099939 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.131110907 CET	49963	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.131115913 CET	443	49963	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.133929968 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.133959055 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.134015083 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.134150982 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.134164095 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.147933006 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.148607016 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.148684978 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.148957968 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.148958921 CET	49965	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.148978949 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.148991108 CET	443	49965	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.151226044 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.151258945 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.151324034 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.151433945 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.151442051 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.205540895 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.209316969 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.209336996 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.209671974 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.209676981 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.212511063 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.212655067 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.212718964 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.212820053 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.212837934 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.212851048 CET	49964	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.212857962 CET	443	49964	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.212867975 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.215079069 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.215101957 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.215378046 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.215389967 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.215410948 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.215778112 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.215781927 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.215887070 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.215895891 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.312843084 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.312874079 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.312943935 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.312954903 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.313108921 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.313149929 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.315495014 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.315511942 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.315526962 CET	49967	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.315534115 CET	443	49967	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.318227053 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.318253994 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.318314075 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.318419933 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.318428040 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321279049 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321325064 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321371078 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.321383953 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321418047 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.321422100 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321432114 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.321434975 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.321444035 CET	49966	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.321456909 CET	443	49966	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.323292017 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.323324919 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.323376894 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.323470116 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.323484898 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.774867058 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.775408983 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.775425911 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.775904894 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.775911093 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.788955927 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.789390087 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.789405107 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.789844036 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.789849043 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.865658045 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.868005991 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.868019104 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.868603945 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.868608952 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.879539967 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.879607916 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.879673004 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.879681110 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.879702091 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.879848957 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.879848957 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.890662909 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.890717983 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.890789986 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.890799999 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.890978098 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.915283918 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.915283918 CET	49969	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:55.915311098 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:55.915329933 CET	443	49969	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.066823959 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.066864014 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.066931963 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.067784071 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.067796946 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.245692015 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.245708942 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.245795012 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.245898008 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.245898008 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.246784925 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.246810913 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.246825933 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.246871948 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.246885061 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.246929884 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.254103899 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.254120111 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.255239010 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.255281925 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.255307913 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.255310059 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.255352974 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.283971071 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.283992052 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.284003019 CET	49968	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.284008026 CET	443	49968	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.292503119 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.292503119 CET	49970	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.292509079 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.292517900 CET	443	49970	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.300373077 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.300398111 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.304023027 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.304035902 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.304582119 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.304616928 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.306473017 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.306480885 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.400840044 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.400959969 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.401004076 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.401037931 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.401061058 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.401099920 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.401123047 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.401171923 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.401940107 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.401999950 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.402050018 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.402070999 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.402425051 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.402475119 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.414506912 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.414524078 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.414535046 CET	49971	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.414540052 CET	443	49971	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.423583984 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.423612118 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.423640966 CET	49972	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.423648119 CET	443	49972	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.659383059 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.659423113 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.659485102 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.662034988 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.662050009 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.663872004 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.663912058 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.663966894 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.664124966 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.664139986 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.665932894 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.666030884 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.666110039 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.666217089 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.666239977 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.666731119 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.666836023 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.666903973 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.667058945 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.667095900 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.881787062 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.882477045 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.882499933 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.882962942 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.882970095 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.986989021 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.987092972 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.987253904 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.987643957 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.987664938 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.987680912 CET	49973	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.987687111 CET	443	49973	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.990926027 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.990972996 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:56.991059065 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.991203070 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:56.991214037 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.315881014 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.321919918 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.323071957 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.323339939 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.323401928 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.324079990 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.324094057 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.324532032 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.324548960 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.325149059 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.325154066 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.325639009 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.325707912 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.326672077 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.329348087 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.329364061 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.329891920 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.329902887 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.330574989 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.330579996 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.423783064 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.423866987 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.423960924 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.424010038 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.424102068 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.424165964 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.425400972 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.425551891 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.425616026 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.433454990 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.433743954 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.433759928 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.433830023 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.433995008 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.434067011 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.434685946 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.434685946 CET	49976	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.434736967 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.434760094 CET	443	49976	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.435571909 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.435605049 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.435647964 CET	49977	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.435664892 CET	443	49977	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.438529015 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.438544035 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.438555956 CET	49975	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.438560963 CET	443	49975	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.438631058 CET	49974	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.438647985 CET	443	49974	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.442735910 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.442822933 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.442895889 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.443341970 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.443391085 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.443445921 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.443974018 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.444000959 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.444055080 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.444165945 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.444214106 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.444232941 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.444248915 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.444339991 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.444350004 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.633203983 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.634253025 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.634277105 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.634758949 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.634763002 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.735419989 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.735560894 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.735635996 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.779841900 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.779900074 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:57.779937983 CET	49978	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:57.779958010 CET	443	49978	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.114933968 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.115756035 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.122922897 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.122948885 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.123426914 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.123433113 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.123667955 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.123696089 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.124031067 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.124036074 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.128386974 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.128650904 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.128693104 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.129012108 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.129018068 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.222863913 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223382950 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223591089 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.223606110 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223700047 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.223720074 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223730087 CET	49981	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.223736048 CET	443	49981	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223783016 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.223851919 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.223993063 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.223993063 CET	49979	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.224040031 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.224066973 CET	443	49979	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.235085964 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.235251904 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.235316992 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.235467911 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.235487938 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:16:58.235500097 CET	49980	443	192.168.2.6	13.107.246.45
Nov 20, 2024 11:16:58.235506058 CET	443	49980	13.107.246.45	192.168.2.6
Nov 20, 2024 11:17:33.849550009 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:33.860816002 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:33.860960960 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:33.887645006 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:33.895668983 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:33.903969049 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:33.911660910 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.356476068 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.356534958 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.356672049 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:34.360337019 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:34.367937088 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.472248077 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.515595913 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:34.842392921 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:34.850415945 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:34.850471973 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:34.860553026 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:39.133182049 CET	49706	80	192.168.2.6	199.232.210.172
Nov 20, 2024 11:17:39.133244991 CET	49705	443	192.168.2.6	20.190.160.17
Nov 20, 2024 11:17:39.172506094 CET	80	49706	199.232.210.172	192.168.2.6
Nov 20, 2024 11:17:39.172537088 CET	443	49705	20.190.160.17	192.168.2.6
Nov 20, 2024 11:17:39.172584057 CET	49706	80	192.168.2.6	199.232.210.172
Nov 20, 2024 11:17:39.172610044 CET	49705	443	192.168.2.6	20.190.160.17
Nov 20, 2024 11:17:41.313245058 CET	49708	443	192.168.2.6	20.190.160.17
Nov 20, 2024 11:17:41.321996927 CET	443	49708	20.190.160.17	192.168.2.6
Nov 20, 2024 11:17:41.322063923 CET	49708	443	192.168.2.6	20.190.160.17
Nov 20, 2024 11:17:54.348195076 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:54.390656948 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:17:54.441829920 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:17:54.484530926 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.580786943 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.586103916 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:01.586272001 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.591296911 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:01.722585917 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:01.765613079 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.809118032 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:01.819430113 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.826703072 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:01.826759100 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:01.833909035 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:14.364423037 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:14.406234026 CET	49984	56001	192.168.2.6	167.114.47.186
Nov 20, 2024 11:18:14.494637012 CET	56001	49984	167.114.47.186	192.168.2.6
Nov 20, 2024 11:18:14.546840906 CET	49984	56001	192.168.2.6	167.114.47.186

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 11:16:10.627177000 CET	1.1.1.1	192.168.2.6	0xb639	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 11:16:10.627177000 CET	1.1.1.1	192.168.2.6	0xb639	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 20, 2024 11:16:20.319084883 CET	1.1.1.1	192.168.2.6	0xb55e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 11:16:20.319084883 CET	1.1.1.1	192.168.2.6	0xb55e	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 20, 2024 11:16:21.591243029 CET	1.1.1.1	192.168.2.6	0xb6ac	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 20, 2024 11:16:21.591243029 CET	1.1.1.1	192.168.2.6	0xb6ac	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:16:03
Start date:	20/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi"
Imagebase:	0x7ff613a30000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:16:03
Start date:	20/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff613a30000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:16:04
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding BF03D9DA9F637DCB977237F6A9B3752B
Imagebase:	0x350000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:16:06
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"
Imagebase:	0x580000
File size:	895'488 bytes
MD5 hash:	2C0130F614EA8C240320EC47D0008EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:16:07
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Imagebase:	0xa20000
File size:	3'306'790 bytes
MD5 hash:	35135E7F357C522D07DDD87307C0345C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:16:08
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-RQURE.tmp\Vista Software.tmp" /SL5="$303F2,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Imagebase:	0x40000
File size:	3'615'232 bytes
MD5 hash:	584586C0CF548DB94F76F124046D58D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:16:09
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Imagebase:	0xa20000
File size:	3'306'790 bytes
MD5 hash:	35135E7F357C522D07DDD87307C0345C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:16:09
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_F78C.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"
Imagebase:	0xb20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:16:10
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:16:10
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp" /SL5="$403EC,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Imagebase:	0x700000
File size:	3'615'232 bytes
MD5 hash:	584586C0CF548DB94F76F124046D58D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:16:12
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xb20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:16:12
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:16:12
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:16:12
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:16:13
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xb20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3212, Parent PID: 6440

General

Target ID:	16
Start time:	05:16:13
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:16:13
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:16:13
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:16:14
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:16:14
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:16:15
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:16:16
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:16:17
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff7106a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:16:17
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	05:16:17
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff7ddfa0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:16:17
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff734650000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:16:17
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\clithe\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"
Imagebase:	0x2d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	05:17:18
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\doW4t2.a3x && del C:\ProgramData\\doW4t2.a3x
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	05:17:19
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	05:17:19
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xd90000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	05:17:23
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\clithe\file.exe
Wow64 process (32bit):	true
Commandline:	file.exe C:\ProgramData\\doW4t2.a3x
Imagebase:	0x2d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	05:17:27
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x850000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002E.00000002.3385347681.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	05:17:36
Start date:	20/11/2024
Path:	C:\dbgbkfc\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Imagebase:	0xd50000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	05:17:41
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x770000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.3268979112.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	05:17:44
Start date:	20/11/2024
Path:	C:\dbgbkfc\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Imagebase:	0xd50000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	05:17:48
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xfd0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Executed Functions

Function 0059B5A0 Relevance: 32.1, APIs: 13, Strings: 5, Instructions: 599
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059C420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,5D2E80A5,00000000,?,?,006198E6,000000FF), ref: 0059C474

FindFirstFileW.KERNELBASE(?,00000000,.ini,00000004,?,?,?,00000000,00000000,?,5D2E80A5), ref: 0059B706
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0059B771
SetFilePointer.KERNELBASE(00000000,00000002,?,00000000), ref: 0059B7B7
ReadFile.KERNELBASE(00000000,?,?,?,00000000,00000078,?), ref: 0059B7F5
CloseHandle.KERNELBASE(00000000), ref: 0059B84E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0059B950
SetCurrentDirectoryW.KERNELBASE(00000000), ref: 0059BBBD
OpenMutexW.KERNEL32(00100000,00000000,Global\_MSIExecute), ref: 0059BBF7
GetLastError.KERNEL32 ref: 0059BC11
FindClose.KERNEL32(?), ref: 0059BCCC

Strings

.ini, xrefs: 0059B6ED
Global\_MSIExecute, xrefs: 0059BBEB
2#vp1#v, xrefs: 0059B706
he, xrefs: 0059B8D2
0!X, xrefs: 0059B6FC, 0059BCC0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$CloseFindModuleName$CreateCurrentDirectoryErrorFirstHandleLastMutexOpenPointerRead
String ID: 2#vp1#v$.ini$0!X$Global\_MSIExecute$he
API String ID: 1061481847-515572728
Opcode ID: 7bfab81895a62d52d07a7b1aaa81f8e259967166c4fc0d4b53f8d7feffc6d40f
Instruction ID: cd330926f9239abbb543ffb80864ba4f99c68d68e3000aaeced67b16a5feed12
Opcode Fuzzy Hash: 7bfab81895a62d52d07a7b1aaa81f8e259967166c4fc0d4b53f8d7feffc6d40f
Instruction Fuzzy Hash: 9D32DD70A0064ADFEF10DFA8DD59BAEBFB5BF44320F144258E415A7281CB74AE05CBA1

Function 005CE3A0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 291
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,00000004,?,00000000,?), ref: 005CE55E
GetForegroundWindow.USER32(?,00000004,?,00000000,?), ref: 005CE5D6
ShellExecuteExW.SHELL32(?), ref: 005CE5E3
ShellExecuteExW.SHELL32(?), ref: 005CE60C
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId), ref: 005CE641
GetProcAddress.KERNEL32(00000000), ref: 005CE648
GetProcessId.KERNELBASE ref: 005CE65B
AllowSetForegroundWindow.USER32(00000000), ref: 005CE65E

Strings

.cmd, xrefs: 005CE51F
runas, xrefs: 005CE5A1
open, xrefs: 005CE59C
GetProcessId, xrefs: 005CE637
/C ""%s" %s", xrefs: 005CE583
.bat, xrefs: 005CE4E5
%s\System32\cmd.exe, xrefs: 005CE56B
Kernel32.dll, xrefs: 005CE63C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExecuteForegroundShellWindow$AddressAllowDirectoryHandleModuleProcProcessWindows
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 2271306907-986041216
Opcode ID: 10e072249a569534c2da3da8541069d67f6d3a27bb2a8e36231ef066bc26cb7e
Instruction ID: f3d325c21caa1a40ef1a9afcbcc9f06e1b023a40bb829c380a03bf64d0d1f855
Opcode Fuzzy Hash: 10e072249a569534c2da3da8541069d67f6d3a27bb2a8e36231ef066bc26cb7e
Instruction Fuzzy Hash: 8AB1BC71A00249CFDB10DFA8C889BADBBB5FF18314F14416DE515EB391EB31AA05CB91

Function 0058AB00 Relevance: 21.9, APIs: 3, Strings: 9, Instructions: 926
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0058B456

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,00633AD2,?,?,?), ref: 0058B3BB

Part of subcall function 005A9710: FormatMessageW.KERNEL32(00001300,00000000,00000007,00000400,?,00000000,00000000,5D2E80A5,00000000,?), ref: 005A975B
Part of subcall function 005A9710: GetLastError.KERNEL32 ref: 005A9765

std::_Throw_Cpp_error.LIBCPMT ref: 0058B727

Part of subcall function 00594840: GetCurrentThreadId.KERNEL32 ref: 00594850

Strings

msix, xrefs: 0058AE18
Launch failed. Error:, xrefs: 0058B21B
msixbundle, xrefs: 0058AE5C
appx, xrefs: 0058AE9F
Return code of launched file:, xrefs: 0058B30C
he, xrefs: 0058B327
Launching file:, xrefs: 0058ABBA
he, xrefs: 0058ABF2
he, xrefs: 0058B26C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentErrorFormatHeapLastMessageProcessSleepThread
String ID: Launch failed. Error:$Launching file:$Return code of launched file:$appx$he$he$he$msix$msixbundle
API String ID: 3855751301-547343951
Opcode ID: d2dd1a7f5b73303f9120fe85be890a0e16f3b25e7a92ddb56e1a7c21e5e2cdaa
Instruction ID: 99abbdfc39b9129bdfcdf6b6a49444945bf3dd76d275bf4898cf1f21395edc32
Opcode Fuzzy Hash: d2dd1a7f5b73303f9120fe85be890a0e16f3b25e7a92ddb56e1a7c21e5e2cdaa
Instruction Fuzzy Hash: 2382EF70D00249CFEB10EF68C859BADBBB5BF44314F248299E815B7392EB746A45CF91

Function 005A4710 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 005A4762
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 005A476F
GetLastError.KERNEL32 ref: 005A4779
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,0061AE75), ref: 005A479D
GetLastError.KERNEL32 ref: 005A47A7
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,0061AE75,0061AE75,0061AE75), ref: 005A47CD
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005A4804
EqualSid.ADVAPI32(00000000,?), ref: 005A4813
FreeSid.ADVAPI32(?), ref: 005A4822
CloseHandle.KERNELBASE(00000000), ref: 005A485C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: ddeea5b272ee991e18c2888b54c6fe6f2fb9a4e9011e0a42e7d179da7c3c8d27
Instruction ID: dd71c258df6047e6cd953e7cfe5a0d4e187e81f80b5ec1ed5e1625c3499c7e80
Opcode Fuzzy Hash: ddeea5b272ee991e18c2888b54c6fe6f2fb9a4e9011e0a42e7d179da7c3c8d27
Instruction Fuzzy Hash: 4641347190021AABDF20DFA0EC49BEEBFB9FF09715F105018E411B2290D7B95A09DFA4

Function 005A98C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,5D2E80A5,00000007,00000007,?), ref: 005A98FA
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 005A9920
GetSystemMetrics.USER32(0000000C), ref: 005A9960
GetSystemMetrics.USER32(0000000B), ref: 005A9978
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 005A998B
FreeLibrary.KERNEL32(00000000), ref: 005A99A9

Strings

ComCtl32.dll, xrefs: 005A98EE
LoadIconMetric, xrefs: 005A991A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-764666640
Opcode ID: 1aa905332f27864172162337e7a5af009e0aa428ff990185d09e54c5d1b11d78
Instruction ID: 86d52320c5c1cca7b92cccb3785f7604cceea0f855c59555b2698625a9b7c5b4
Opcode Fuzzy Hash: 1aa905332f27864172162337e7a5af009e0aa428ff990185d09e54c5d1b11d78
Instruction Fuzzy Hash: 48319AB1A04629AFDB108FA4CC09BAFBFBAFB45750F04022DF825A3390D7755D058BA0

Function 0059DD10 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 271
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,5D2E80A5,?,?,?,?,?,?,?,?,?,?,00619EB6,000000FF), ref: 0059DD87
FindFirstFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,00619EB6,000000FF), ref: 0059DF0E
FindNextFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,00619EB6,000000FF), ref: 0059DF56
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00619EB6,000000FF), ref: 0059DF61
PathIsDirectoryW.SHLWAPI(00000000), ref: 0059DF9D

Strings

2#vp1#v, xrefs: 0059DF0E
p2#v3#v, xrefs: 0059DF56

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileFind$CloseDeleteDirectoryFirstNextPath
String ID: 2#vp1#v$p2#v3#v
API String ID: 3278268132-230733403
Opcode ID: 1cc469ba3fa7638f1e912cd12eee99749bca18fb5390815ef2e89a4999a6494c
Instruction ID: be6128675593f49dfa73d16890d16584c6b6cd2c4124576c8a24fc5a4078ca48
Opcode Fuzzy Hash: 1cc469ba3fa7638f1e912cd12eee99749bca18fb5390815ef2e89a4999a6494c
Instruction Fuzzy Hash: DCA1947190060A8FDF10DF68CC89BEEBBB5FF48314F144669E425A7391DB74A905CBA1

Function 005B4320 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 242fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B4650: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00000000,00000000), ref: 005B478F
Part of subcall function 005B4650: GetProcAddress.KERNEL32(00000000), ref: 005B4796
Part of subcall function 005B4650: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 005B47D0

FindFirstFileW.KERNEL32(?,?), ref: 005B4464
FindClose.KERNEL32(00000000), ref: 005B4498
FindClose.KERNEL32(00000000), ref: 005B4544

Strings

2#vp1#v, xrefs: 005B4464
0!X, xrefs: 005B446C, 005B448E, 005B4535

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$Close$AddressCurrentFileFirstHandleModuleProcProcess
String ID: 2#vp1#v$0!X
API String ID: 3560309239-2211160475
Opcode ID: 03a84396bc91e983bc52816112edf48d0d5ecc4c549b4623cb157b22fee6cae4
Instruction ID: 8cb8dd308887d39114ca78a3a6651de1ee2e36b13c7cfb50e0dde19a9772d8a7
Opcode Fuzzy Hash: 03a84396bc91e983bc52816112edf48d0d5ecc4c549b4623cb157b22fee6cae4
Instruction Fuzzy Hash: B0A1A431905A558BCB34DF28C8587ADBBB5FF45324F284699E429A73D2CB35AD81CF80

Function 005A6BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 005A6C41
FindClose.KERNEL32(00000000,?,?), ref: 005A6CA0

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Strings

2#vp1#v, xrefs: 005A6C41
0!X, xrefs: 005A6C49, 005A6C91

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: 2#vp1#v$0!X
API String ID: 1673784098-2211160475
Opcode ID: 4eff775785db55a9910ea695e2d9363916040086f589c290406f085af3620300
Instruction ID: 8ca9fb58edb001c3b0edd63d50c6ea31238a1304111beada3f137849d4681772
Opcode Fuzzy Hash: 4eff775785db55a9910ea695e2d9363916040086f589c290406f085af3620300
Instruction Fuzzy Hash: E531EF31908618DBCB20DF14C849B5EBBB4FB4A320F24866AE859D3380E7309D448F90

Function 005BFF10 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 436registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

RegCreateKeyA.ADVAPI32(80000001,00000001,?), ref: 005BFF95
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 005BFFAD

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005C02C4

Strings

-, xrefs: 005C00BC

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$AllocateCreateOpenProcessValue
String ID: -
API String ID: 1583728613-2547889144
Opcode ID: 31f0246d6faf30a2ea6b0eb78c47bf929b477cddb2a14064540b7c2391fa4622
Instruction ID: 5e680a00f17cbffc3bfb8e16ce3d707b7c6df5c7888c1f29a3c3e467edf99f3f
Opcode Fuzzy Hash: 31f0246d6faf30a2ea6b0eb78c47bf929b477cddb2a14064540b7c2391fa4622
Instruction Fuzzy Hash: 22E19171A00619DFDB00DF98CC45BAEBBB9FF88720F14422AE915E7391DB75A905CB90

Function 005F1F2A Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,005BA67E), ref: 005F1F2F
HeapAlloc.KERNEL32(00000000), ref: 005F1F36
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F1F7C
HeapFree.KERNEL32(00000000), ref: 005F1F83

Part of subcall function 005F1DC8: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,005F1F72,00000000), ref: 005F1DEC
Part of subcall function 005F1DC8: HeapAlloc.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1DF3

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: dcb34967717746e0e21851d68a8377fbb7a647e1c341b8d97c7fcfb3ef7b3af3
Instruction ID: 342e759528ecc2b6a279290d756b9095c4e9575bbb0795e7db5eb2b43fd3baa7
Opcode Fuzzy Hash: dcb34967717746e0e21851d68a8377fbb7a647e1c341b8d97c7fcfb3ef7b3af3
Instruction Fuzzy Hash: 18F0B472648E16D7C7302B78BC0DE7B2D6ABF80BA1701482CF645C7240DF3488068778

Function 005D4B00 Relevance: 1.6, APIs: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(006313FC,00000000,00000001,00638A3C,000000B0,5D2E80A5,00000000,?,00000000,000000A0,-00000010,0062373C,000000FF,?,005CD39B), ref: 005D4C6D

Part of subcall function 005F46AF: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46BA
Part of subcall function 005F46AF: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46F4

Part of subcall function 005F465E: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F4668
Part of subcall function 005F465E: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F469B
Part of subcall function 005F465E: WakeAllConditionVariable.KERNEL32(0064FFB4,?,?,00583AC7,00650848,00626460), ref: 005F46A6

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionCreateInstanceVariableWake
String ID:
API String ID: 1170529896-0
Opcode ID: 699ac99ff8fb2205ddf6c7956f082eb0629728b99de9460d471d836192a0932a
Instruction ID: dcd626849be0ebf0072683a18750a4eae95c8ebec5059d090285729ba9234384
Opcode Fuzzy Hash: 699ac99ff8fb2205ddf6c7956f082eb0629728b99de9460d471d836192a0932a
Instruction Fuzzy Hash: 9B41C071601346DFE724DF08EC9AB4ABBB2FB02715F20421AE4159B3E1D3B56944CF99

Function 0059CB20 Relevance: 65.6, APIs: 17, Strings: 20, Instructions: 820
threadsynchronizationregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 0058CB10: FindResourceW.KERNEL32(00000000,00000100,00000006,00000000,000000FF,?,00000000,005BA070,000000FF,?,?,?,5D2E80A5,00000000,?,000000FF), ref: 0058CB4D
Part of subcall function 0058CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,000000FF,?,?,?,5D2E80A5,00000000,?,000000FF), ref: 0058CB7E
Part of subcall function 0058CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,?,5D2E80A5,00000000,?,000000FF,000000FF), ref: 0058CBB5

CreateThread.KERNELBASE(00000000,00000000,Function_0004CE80,?,00000000,?), ref: 0059CC9A
GetLastError.KERNEL32 ref: 0059CCA7

Part of subcall function 005BB9E0: GetCurrentThreadId.KERNEL32 ref: 005BB9E9
Part of subcall function 005BB9E0: DestroyWindow.USER32(?), ref: 005BB9F8

Part of subcall function 005AA750: InitializeCriticalSection.KERNEL32(00650A68,5D2E80A5,00000000,?), ref: 005AA78C
Part of subcall function 005AA750: EnterCriticalSection.KERNEL32(?,5D2E80A5,00000000,?), ref: 005AA799
Part of subcall function 005AA750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA7CB
Part of subcall function 005AA750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA7D4
Part of subcall function 005AA750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,00634EF4,00000001,?,?,000000FF,00000000), ref: 005AA86C
Part of subcall function 005AA750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA875

WaitForSingleObject.KERNEL32(?,?), ref: 0059CCCD
GetExitCodeThread.KERNEL32(?,?), ref: 0059CCE7
TerminateThread.KERNEL32(?,00000000), ref: 0059CCFF
CloseHandle.KERNELBASE(?), ref: 0059CD08
GetActiveWindow.USER32 ref: 0059D16F
SetLastError.KERNEL32(0000000E,?,00636134), ref: 0059D18C
WaitForSingleObject.KERNEL32(?,000000FF,?,00636134), ref: 0059D197
CloseHandle.KERNEL32(?,?,00636134), ref: 0059D1A0
GetCurrentThreadId.KERNEL32 ref: 0059D1D0
EnterCriticalSection.KERNEL32(00652C5C,?,00636134), ref: 0059D1ED
LeaveCriticalSection.KERNEL32(00652C5C,?,00636134), ref: 0059D210
DialogBoxParamW.USER32(000000D8,00000000,Function_0003BD70,00000000), ref: 0059D22D
WaitForSingleObject.KERNEL32(?,000000FF,?,00636134), ref: 0059D23A
CloseHandle.KERNEL32(?,?,00636134), ref: 0059D243

Part of subcall function 005AA750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,?,?,000000FF,00000000), ref: 005AA8BD
Part of subcall function 005AA750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA8C6
Part of subcall function 005AA750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,006337E8,00000002,?,?,000000FF,00000000), ref: 005AA935
Part of subcall function 005AA750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA93E
Part of subcall function 005AA750: LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA97A

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 0059D522

Strings

he, xrefs: 0059D47C
he, xrefs: 0059D043
he, xrefs: 0059CD9F
he, xrefs: 0059D2FF
Starting installing prerequisites in basic UI mode., xrefs: 0059D036
InterbootContext, xrefs: 0059CB83, 0059CB91
Reboot was refused=, xrefs: 0059D37E
Ec, xrefs: 0059CC11
false, xrefs: 0059D2D6, 0059D394, 0059D44F
true, xrefs: 0059D2D1, 0059D2F2, 0059D2F3, 0059D38F, 0059D3B0, 0059D3B1, 0059D44A, 0059D46F, 0059D470
Tsc, xrefs: 0059D143
Reboot in Progress=, xrefs: 0059D43C
4ac, xrefs: 0059CF68
Reboot was required=, xrefs: 0059D2BD
he, xrefs: 0059D3BD
\,e, xrefs: 0059D1D9
he, xrefs: 0059CE9A
After running prerequisites we have:, xrefs: 0059D2B1
No prerequisite must be installed., xrefs: 0059CD92
Starting installing prerequisites in silent mode., xrefs: 0059CE8D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$CriticalSectionThread$BuffersFlushWrite$CloseHandleObjectSingleWait$ByteCharCurrentEnterErrorLastLeaveMultiWideWindow$ActiveCodeCreateDeleteDestroyDialogExitFindHeapInitializeParamProcessResourceTerminate
String ID: Reboot in Progress=$ Reboot was refused=$ Reboot was required=$4ac$After running prerequisites we have:$InterbootContext$No prerequisite must be installed.$Starting installing prerequisites in basic UI mode.$Starting installing prerequisites in silent mode.$Tsc$\,e$false$he$he$he$he$he$he$true$Ec
API String ID: 2565466407-3292787948
Opcode ID: 17571350571a7cc09cb897ba58002a4d454ae46785e3b5280fe7c8b4f49edd4e
Instruction ID: bc94359adef2afa39f42794f1c3b422b2b671d586eec1a9a841796d7e4ec5882
Opcode Fuzzy Hash: 17571350571a7cc09cb897ba58002a4d454ae46785e3b5280fe7c8b4f49edd4e
Instruction Fuzzy Hash: 1D72DD30900249DFDF11EF68C859BADBFB5BF44324F188298F816A7391DB749A45CBA1

Function 005AEF30 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 005AEFAA
RegQueryValueExW.KERNELBASE(00000000,ProductType,00000000,00000000,?,?), ref: 005AEFDF
RegQueryValueExW.KERNELBASE(00000000,ProductSuite,00000000,00000000,?,?), ref: 005AF05E
RegCloseKey.KERNELBASE(00000000), ref: 005AF23E

Strings

CommunicationServer, xrefs: 005AF0EB
Small Business, xrefs: 005AF0A0
EmbeddedNT, xrefs: 005AF136
Blade, xrefs: 005AF180
Storage Server, xrefs: 005AF1C5
Enterprise, xrefs: 005AF0B9
ServerNT, xrefs: 005AF00C
BackOffice, xrefs: 005AF0D2
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 005AEFA0
Terminal Server, xrefs: 005AF104
Small Business(Restricted), xrefs: 005AF11D
WinNT, xrefs: 005AEFE9
Embedded(Restricted), xrefs: 005AF197
Security Appliance, xrefs: 005AF1AE
ProductSuite, xrefs: 005AF053
Compute Server, xrefs: 005AF1DC
ProductType, xrefs: 005AEFD4
DataCenter, xrefs: 005AF14F
Personal, xrefs: 005AF169

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 4c354b8571eb7e50df7a69b5bebfc12897651a9d1bf39199b96396ca796bd2fd
Instruction ID: d3729ae60d9d1ae2b320bbd1036910f7d93a89278ed86466b55702b6888d46cb
Opcode Fuzzy Hash: 4c354b8571eb7e50df7a69b5bebfc12897651a9d1bf39199b96396ca796bd2fd
Instruction Fuzzy Hash: 5171B23470035A9BDB20AF65DD45BAEBEA6FB82340F104575A906AB382FB34CD458B81

Function 005C0F80 Relevance: 39.4, APIs: 5, Strings: 17, Instructions: 865fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 005C14CE
CloseHandle.KERNEL32(00000000), ref: 005C14F5
GetFileSize.KERNEL32(00000000,00000000), ref: 005C1502
CloseHandle.KERNEL32(00000000), ref: 005C151A
DeleteFileW.KERNEL32(00000000), ref: 005C190E

Strings

Starting download of:, xrefs: 005C135D
Downloaded file was accepted., xrefs: 005C160E
he, xrefs: 005C13B3
he, xrefs: 005C171C
Download completed succesfully., xrefs: 005C144E
Download was canceled., xrefs: 005C18A8
[InternetShortcut]URL=%s, xrefs: 005C1BB8
!, xrefs: 005C1943
he, xrefs: 005C1959
he, xrefs: 005C21AC
open, xrefs: 005C1C32
he, xrefs: 005C161B
he, xrefs: 005C18B5
Launching URL:, xrefs: 005C2176
he, xrefs: 005C145B
Download failed. Error:, xrefs: 005C16D2
Downloaded file was rejected.(Invalid size or MD5)., xrefs: 005C194C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$CloseHandle$CreateDeleteSize
String ID: !$Download completed succesfully.$Download failed. Error:$Download was canceled.$Downloaded file was accepted.$Downloaded file was rejected.(Invalid size or MD5).$Launching URL:$Starting download of:$[InternetShortcut]URL=%s$he$he$he$he$he$he$he$open
API String ID: 3145970413-4187155845
Opcode ID: 917a0a44b831cdca84e1fd61008bb97aaeee0e216cca65a8420c1f6bb2b9810e
Instruction ID: 5deb90c3d1224bea03ac0d6a5545ccea7ac1b805534c392ec75fc904b42a1df5
Opcode Fuzzy Hash: 917a0a44b831cdca84e1fd61008bb97aaeee0e216cca65a8420c1f6bb2b9810e
Instruction Fuzzy Hash: B072B234A00A55CFDB14DFA8C898B6DBBB6FF85310F18415DE915AB392DB30AD06CB90

Function 005AEB80 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 005AEBF8
RegQueryValueExW.KERNELBASE(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 005AEC39
RegQueryValueExW.KERNELBASE(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 005AEC5C
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 005AEC8F
RegQueryValueExW.KERNELBASE(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 005AED08
RegQueryValueExW.KERNELBASE(00000000,ReleaseId,00000000,00000000,?,?), ref: 005AED7E
RegQueryValueExW.KERNELBASE(00000000,CSDVersion,00000000,00000000,?,?), ref: 005AEDD3
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 005AEE73
GetProcAddress.KERNEL32(00000000), ref: 005AEE7A
GetCurrentProcess.KERNEL32(?), ref: 005AEEB1
IsWow64Process.KERNEL32 ref: 005AEEC0
RegCloseKey.ADVAPI32(00000000), ref: 005AEEFA

Strings

CurrentVersion, xrefs: 005AEC84
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 005AEBEE
CurrentMajorVersionNumber, xrefs: 005AEC2E
ReleaseId, xrefs: 005AED73
,e, xrefs: 005AEDE4
CSDVersion, xrefs: 005AEDC8
IsWow64Process, xrefs: 005AEE69
kernel32, xrefs: 005AEE6E
CurrentBuildNumber, xrefs: 005AECFD
CurrentMinorVersionNumber, xrefs: 005AEC51

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32$,e
API String ID: 2654979339-1525434530
Opcode ID: c898a70d24fb824ba9f7e3054f13d8b06c3d0a389e0230360aa172ce2557c5f3
Instruction ID: 69678106d4a6f36a7ffbd5e3dde3f78657a737b3075a6ea543c30579787808fb
Opcode Fuzzy Hash: c898a70d24fb824ba9f7e3054f13d8b06c3d0a389e0230360aa172ce2557c5f3
Instruction Fuzzy Hash: ACA17FB0900769DFDB60CF14CD49B9EBBBAFB55712F0002A9E409A7291EB355E94CF50

Function 005B4650 Relevance: 35.4, APIs: 3, Strings: 17, Instructions: 447
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005C5180: GetSystemDefaultLangID.KERNEL32(5D2E80A5,00000000,?,?,?,5D2E80A5), ref: 005C51B7

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00000000,00000000), ref: 005B478F
GetProcAddress.KERNEL32(00000000), ref: 005B4796
GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 005B47D0

Strings

he, xrefs: 005B4BC0
IsWow64Process2, xrefs: 005B4785
Wrong OS or Os language for:, xrefs: 005B4B8F
he, xrefs: 005B4920
No acceptable version found. It must be downloaded., xrefs: 005B4AB7
No acceptable version found. It must be installed from package., xrefs: 005B4AB0
kernel32, xrefs: 005B478A
Search result:, xrefs: 005B4A76
No acceptable version found., xrefs: 005B4AD3
An acceptable version was found., xrefs: 005B4AA9, 005B4AFF, 005B4B00
Not selected for install., xrefs: 005B4ADA
Searching for:, xrefs: 005B48D5
No acceptable version found. Operating System not supported., xrefs: 005B4AC5
No acceptable version found. It is already downloaded and it will be installed., xrefs: 005B4ACC
he, xrefs: 005B4B0C
No acceptable version found. It must be downloaded manually from a site., xrefs: 005B4ABE
Undefined, xrefs: 005B4AE1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressCurrentDefaultHandleLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$he$he$he$kernel32
API String ID: 323535258-4201337374
Opcode ID: d7556a49568edbebe6c9423ebedf72d1c5c3712f0d3e9376a67fde7a12939fe2
Instruction ID: 9c3b97853ff79a201ad70ac7f4d9f96b5f7a599942758a97beda9c77e4f29be9
Opcode Fuzzy Hash: d7556a49568edbebe6c9423ebedf72d1c5c3712f0d3e9376a67fde7a12939fe2
Instruction Fuzzy Hash: 480280749006059FDB24DF68C858AAEBFB6FF44314F248259E912A7392DB30BD46CF80

Function 00584450 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 268
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00584547
GetProcAddress.KERNEL32(00000000), ref: 0058454E
GetWindowsDirectoryW.KERNEL32(?,00000104,5D2E80A5,00000000), ref: 00584594
PathFileExistsW.SHLWAPI(?), ref: 005845BC
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,?,00000001,S-1-5-18,?,00000001), ref: 0058463F

Part of subcall function 005F46AF: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46BA
Part of subcall function 005F46AF: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46F4

GetTempPathW.KERNEL32(00000104,?,5D2E80A5,00000000), ref: 00584662

Part of subcall function 005F465E: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F4668
Part of subcall function 005F465E: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F469B
Part of subcall function 005F465E: WakeAllConditionVariable.KERNEL32(0064FFB4,?,?,00583AC7,00650848,00626460), ref: 005F46A6

Strings

\SystemTemp\, xrefs: 0058459A
S-1-5-32-544, xrefs: 005845F2
S-1-5-18, xrefs: 005845DF
GetTempPath2W, xrefs: 0058453D
d, xrefs: 005846D0
URL, xrefs: 00584450, 0058480D
Kernel32.dll, xrefs: 00584542

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: d$GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$URL$\SystemTemp\
API String ID: 3143601600-1600086137
Opcode ID: a89f610c213eaadeeb73e210c5bf3cc961e562c653d783278b9c9fc6d1775398
Instruction ID: 6c302a3b66bbec2c259e3a8d316e4c6848f6bad8b8d75862d38344912ffb566d
Opcode Fuzzy Hash: a89f610c213eaadeeb73e210c5bf3cc961e562c653d783278b9c9fc6d1775398
Instruction Fuzzy Hash: 47B1E3B1D00219DBDB20EFA4DC59B9EBBB5FF45310F100299E909A7291EB746E44CF51

Function 005BA610 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 184
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 005BA64A
SetLastError.KERNEL32(0000000E), ref: 005BA687
GetCurrentThreadId.KERNEL32 ref: 005BA712
SetWindowTextW.USER32(?,00000000), ref: 005BA79E
GetDlgItem.USER32(?,000003E9), ref: 005BA7AC
SetWindowTextW.USER32(00000000,?), ref: 005BA7B8

Part of subcall function 005BBA50: GetDlgItem.USER32(?,00000002), ref: 005BBA6D
Part of subcall function 005BBA50: GetWindowRect.USER32(00000000,?), ref: 005BBA83
Part of subcall function 005BBA50: ShowWindow.USER32(00000000,00000000,?,?,?,?,005BA66A), ref: 005BBA98
Part of subcall function 005BBA50: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,005BA66A), ref: 005BBAA3
Part of subcall function 005BBA50: GetDlgItem.USER32(?,000003E9), ref: 005BBAB1
Part of subcall function 005BBA50: GetWindowRect.USER32(00000000,?), ref: 005BBAC7
Part of subcall function 005BBA50: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,005BA66A), ref: 005BBB06

Strings

\,e, xrefs: 005BA6B2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$Text$ActiveCurrentErrorInvalidateLastShowThread
String ID: \,e
API String ID: 2012338523-2651779263
Opcode ID: 9253608ee7e31399223fb3a2f229ce2067d4f7ce46bb16c6241b9ce0899f37f8
Instruction ID: 5369806257ad951a2263233364126595a1a160c83d27cd32b4115d6c9c9e48e6
Opcode Fuzzy Hash: 9253608ee7e31399223fb3a2f229ce2067d4f7ce46bb16c6241b9ce0899f37f8
Instruction Fuzzy Hash: 8F71FE31A04705EFDB11DF68DC48B9EBFB6FF05720F148669E825AB291CB74A901CB91

Function 005BAA70 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 407
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,AI_,00000000,?,?,?,?,?,?,?,?,?,?,0061F0F5,000000FF), ref: 005BABD7
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0061F0F5,000000FF), ref: 005BAC0F

Strings

AI_, xrefs: 005BABCF
.ps1, xrefs: 005BAC3F, 005BAC51, 005BAC5B
%s -paths %s -retry_count %d, xrefs: 005BAD03
RemoteSigned, xrefs: 005BAD43
-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s", xrefs: 005BAD48

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteNameTemp
String ID: %s -paths %s -retry_count %d$-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s"$.ps1$AI_$RemoteSigned
API String ID: 1648863064-656004915
Opcode ID: e4bba5cfb4e31a549c86190a47ebcbc4c935bda809488248cb3a6876dbd5a079
Instruction ID: 78ae20e17a9f93be2e06d70a050ebaf40a7d098adabcfdc6ccd7f4778f4ff1c3
Opcode Fuzzy Hash: e4bba5cfb4e31a549c86190a47ebcbc4c935bda809488248cb3a6876dbd5a079
Instruction Fuzzy Hash: B6E1C631A0064ADFDB05EF68CC59AADBFB5FF84320F188158E815A7391DB34AE05DB91

Function 005F1CBC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,005F2002,0064F82C,?,?,?,005CD485,00000000,5D2E80A5,?), ref: 005F1CCE
LoadLibraryExA.KERNELBASE(atlthunk.dll,00000000,00000800,?,?,?,005F2002,0064F82C,?,?,?,005CD485,00000000,5D2E80A5,?), ref: 005F1CE3
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005F1D5F

Strings

atlthunk.dll, xrefs: 005F1CDE
AtlThunk_FreeData, xrefs: 005F1D39
AtlThunk_DataToCode, xrefs: 005F1D22
AtlThunk_AllocateData, xrefs: 005F1CF4
AtlThunk_InitData, xrefs: 005F1D0B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 0dbf0232bb01de8791e340b1321986d1840e07ff46da1895f52526400b069d03
Instruction ID: c46418e57d6e974e89018b72deae39e10d8077dacc93889380c7a9a9556873e8
Opcode Fuzzy Hash: 0dbf0232bb01de8791e340b1321986d1840e07ff46da1895f52526400b069d03
Instruction Fuzzy Hash: E001C834651A1CFBCB216710AC07FF93F76AF42754F050060BD44EA192D7A69609C5D9

Function 005AF8E0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,5D2E80A5,00000000,?,?,00000000,0061CCC5,000000FF,?,005BA745), ref: 005AF945
GetFileVersionInfoW.KERNELBASE(?,?,00000000,005BA745,00000000,?,00000000,0061CCC5,000000FF,?,005BA745), ref: 005AF993
VerQueryValueW.VERSION(005BA745,\VarFileInfo\Translation,0061CCC5,000000FF,?,00000000,0061CCC5,000000FF,?,005BA745), ref: 005AF9DB
VerQueryValueW.VERSION(005BA745,?,?,00000000,?,?,?,?,?,00000000,0061CCC5,000000FF,?,005BA745), ref: 005AFA3A

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 005AFA0B
ProductName, xrefs: 005AFA01
\VarFileInfo\Translation, xrefs: 005AF9D5

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2099394744-2149928195
Opcode ID: 46cb6ac3cacbdb57829ac39261964ec0a98f98f5e41071b3091e0f9eed21f985
Instruction ID: 960475522b533cbf3948e6d42fb0fa12a9c9d73658f5f3625b9db61e6235cf7e
Opcode Fuzzy Hash: 46cb6ac3cacbdb57829ac39261964ec0a98f98f5e41071b3091e0f9eed21f985
Instruction Fuzzy Hash: AF71B030A0060ADFCF14DFA8C899AEEBFB9FF45314F144169E916A7291DB349D05CBA1

Function 005A7BD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005A7D54
GetLastError.KERNEL32 ref: 005A7D65
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005A7D7B
GetExitCodeProcess.KERNELBASE(00000000,00000000), ref: 005A7D8C
CloseHandle.KERNEL32(00000000), ref: 005A7D9A

Strings

Nc, xrefs: 005A7C41

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: Nc
API String ID: 1481985272-1584449269
Opcode ID: 31cb863c208035671ea6e3aeb379e8c46174765c86c821a76639440b0e7e6b87
Instruction ID: ba41b9567cfacf30b56b2bc432262e8bc0f1f7af4959f3b82ffc984adc426373
Opcode Fuzzy Hash: 31cb863c208035671ea6e3aeb379e8c46174765c86c821a76639440b0e7e6b87
Instruction Fuzzy Hash: 88617B71A04619CFDB14CF68C858BAEBBB5FF49324F148259E825A73D0DB74AD05CB90

Function 005BBA50 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 005BBA6D
GetWindowRect.USER32(00000000,?), ref: 005BBA83
ShowWindow.USER32(00000000,00000000,?,?,?,?,005BA66A), ref: 005BBA98
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,005BA66A), ref: 005BBAA3
GetDlgItem.USER32(?,000003E9), ref: 005BBAB1
GetWindowRect.USER32(00000000,?), ref: 005BBAC7
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,005BA66A), ref: 005BBB06

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 94ab6acbe03f1db6c79b3a12fe85f31478677812b96ffa2a36fd56b539b1344e
Instruction ID: af03f5e3eee58e0f3b941a628bbcf411f06d60abfffbd11a2bca557f1901369c
Opcode Fuzzy Hash: 94ab6acbe03f1db6c79b3a12fe85f31478677812b96ffa2a36fd56b539b1344e
Instruction Fuzzy Hash: A2219D71618701AFE310DF34DC4AEABBBE9FF89B00F008619F855D2190E770AD518B92

Function 005C3FD0 Relevance: 7.7, APIs: 5, Instructions: 168threadCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 005C411A

Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 005CCA3E
Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005CCA4D

Part of subcall function 005BBEA0: GetWindowLongW.USER32(?,000000F0), ref: 005BBEE7
Part of subcall function 005BBEA0: GetParent.USER32(00000000), ref: 005BBEFA
Part of subcall function 005BBEA0: GetWindowRect.USER32(?,?), ref: 005BBF13
Part of subcall function 005BBEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 005BBF26
Part of subcall function 005BBEA0: MonitorFromWindow.USER32(?,00000002), ref: 005BBF3E
Part of subcall function 005BBEA0: GetMonitorInfoW.USER32(00000000,?), ref: 005BBF54

SetWindowTextW.USER32(?,?), ref: 005C4031

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

GetDlgItem.USER32(00000001,0000040A), ref: 005C407B
SetWindowTextW.USER32(00000000,?), ref: 005C4086

Part of subcall function 005D4D20: GetWindowLongW.USER32(?,000000F0), ref: 005D4D35
Part of subcall function 005D4D20: GetParent.USER32(?), ref: 005D4D43

CreateThread.KERNELBASE(00000000,00000000,Function_000444A0,?,00000000,?), ref: 005C40AA

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$MessageMonitorParentSendText$CreateDialogFindFromHeapInfoItemProcessRectResourceThread
String ID:
API String ID: 758803202-0
Opcode ID: 86cad2e9777f4f8323c741a6f77f187a5f8da9dfa413e638f6d303d0664c974f
Instruction ID: 79317066094df85e91b34549c1a2a9daab924941696901919c5d1faac866ef0d
Opcode Fuzzy Hash: 86cad2e9777f4f8323c741a6f77f187a5f8da9dfa413e638f6d303d0664c974f
Instruction Fuzzy Hash: 8F51EE72A0460AAFD710DF98DC45FAABBA4FB58320F04422AED15D7790DB75A950CFE0

Function 005A7A00 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 005A7A17
PeekMessageW.USER32(?,00000000), ref: 005A7A48
TranslateMessage.USER32(00000000), ref: 005A7A57
DispatchMessageW.USER32(00000000), ref: 005A7A62
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 005A7A78

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 67d73a270629087924628a6b192e9a0ffd11fd07f23891fd33992a6e81160d03
Instruction ID: 43198b4ece2dc6d4691e7c2c186f09c215ff1ea062f1899deeffe9a03fd21e71
Opcode Fuzzy Hash: 67d73a270629087924628a6b192e9a0ffd11fd07f23891fd33992a6e81160d03
Instruction Fuzzy Hash: 0101F170A883057BE720CF608C45F6E7BE8BB5DB20F005618BA14D10C0E770C6849B22

Function 005BA920 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,5D2E80A5,?,00000000,?,0061EFEE,000000FF), ref: 005BA975
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe), ref: 005BA98C
PathFileExistsW.KERNELBASE(00000000), ref: 005BA99A

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

Strings

WindowsPowerShell\v1.0\powershell.exe, xrefs: 005BA983

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Path$AppendExistsFileFindFolderHeapProcessResource
String ID: WindowsPowerShell\v1.0\powershell.exe
API String ID: 2424349261-2665178159
Opcode ID: 1e55e860f0a6c7d71dd98f47d53a676bb007294502b8d634cdac6153552a65bf
Instruction ID: c9bd4187149aae58a806e06f53709616db85c3732ecda9a0cf104843e4ce30b3
Opcode Fuzzy Hash: 1e55e860f0a6c7d71dd98f47d53a676bb007294502b8d634cdac6153552a65bf
Instruction Fuzzy Hash: 7D51F5756006499FDB20EF68CC49BEE7BA9FB44710F104529F916DB381EB34AA04CB61

Function 0060710D Relevance: 6.1, APIs: 4, Instructions: 83memorylibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00657000,00000080,00000004,00000000,?,?,00607268,0000001A,AppPolicyGetProcessTerminationMethod,0062D708,AppPolicyGetProcessTerminationMethod,00000000,?,0060986F,00000000), ref: 00607176
VirtualProtect.KERNELBASE(00657000,00000080,00000002,00000000,?,?,00607268,0000001A,AppPolicyGetProcessTerminationMethod,0062D708,AppPolicyGetProcessTerminationMethod,00000000,?,0060986F,00000000), ref: 0060719E
FreeLibrary.KERNEL32(00000000,?,?,?,?,00607268,0000001A,AppPolicyGetProcessTerminationMethod,0062D708,AppPolicyGetProcessTerminationMethod,00000000,?,0060986F,00000000), ref: 006071C0
GetProcAddress.KERNEL32(00000000,?), ref: 006071CA

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual$AddressFreeLibraryProc
String ID:
API String ID: 3998452802-0
Opcode ID: 756f49e3224d6e493d37d9081aee120a6a60775cae1b06bcc15f9f8b2c14e133
Instruction ID: 1c360a2d30bea857faecd707abd4c4f6b4b2d3bc51f0b70583f0a48c2395f6d2
Opcode Fuzzy Hash: 756f49e3224d6e493d37d9081aee120a6a60775cae1b06bcc15f9f8b2c14e133
Instruction Fuzzy Hash: 9F212F32A48125ABDB3A8F68DC45E9B379AEF41770F280165FD15973D0DA30ED01C6A4

Function 005BB9E0 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005BB9E9
DestroyWindow.USER32(?), ref: 005BB9F8
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 005BBA15
IsWindow.USER32(?), ref: 005BBA23

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: bc7857fad2e42616d2932da0f765bf5a7baa97a05ff069be484a3adb6cbf7aa4
Instruction ID: d8b75fa6aa99929889d8c7e78694a653bd5a57869c1ad90351d9fbe923aeca82
Opcode Fuzzy Hash: bc7857fad2e42616d2932da0f765bf5a7baa97a05ff069be484a3adb6cbf7aa4
Instruction Fuzzy Hash: 36F08C3041AB409FE7319B24EE08B92BFE2BF08B00F44694CE48696A90C7F0F841CB58

Function 005C04A0 Relevance: 4.6, APIs: 3, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,5D2E80A5), ref: 005C04E0
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005C0528
RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C,?), ref: 005C0579

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Open$InfoQuery
String ID:
API String ID: 223210943-0
Opcode ID: 8e1a0c64e35ed7615edc02de7878d60379c52f3e5d4d44f078e830e5b5c33bb3
Instruction ID: 6f6d98c26b3122b9282a106678de3b3a1c907ba8f6e1db67f45bd1643e7777b5
Opcode Fuzzy Hash: 8e1a0c64e35ed7615edc02de7878d60379c52f3e5d4d44f078e830e5b5c33bb3
Instruction Fuzzy Hash: 8821A071A40209EFEB10DF84DD41FAAFBB9FB04720F10012AFA14A72C0D7B1A914CBA1

Function 0059F680 Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0059F6B7
DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,?,?,?,0061A415,000000FF), ref: 0059F6D2

Part of subcall function 0059F980: GetCurrentThreadId.KERNEL32 ref: 0059F9E5

Part of subcall function 0059F7F0: EnterCriticalSection.KERNEL32(00650A1C,5D2E80A5), ref: 0059F82F
Part of subcall function 0059F7F0: DestroyWindow.USER32(00000000), ref: 0059F84D
Part of subcall function 0059F7F0: LeaveCriticalSection.KERNEL32(00650A1C), ref: 0059F896

CoUninitialize.COMBASE ref: 0059F715

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSectionWindow$CurrentDestroyEnterInitializeLeaveProcThreadUninitialize
String ID:
API String ID: 2072714735-0
Opcode ID: 72a886914263af283fef4bb28813f7d2e7b57b3bb4a32089f360781f218f0049
Instruction ID: eb4f3b0be8d8d321d1c961699a72a40fc59cbdf7c98f8c7db87360e3e1ece1e3
Opcode Fuzzy Hash: 72a886914263af283fef4bb28813f7d2e7b57b3bb4a32089f360781f218f0049
Instruction Fuzzy Hash: A1118231A55288BFEB20EFA8DD09BDD7BA4FF05710F104159F819972D1DB742604CB92

Function 005C4290 Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040B), ref: 005C429D
SendMessageW.USER32(00000000,00000401,00000000), ref: 005C42B8
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 005C42C8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 763e3f2a84824009e10225721cc63a97d173763ed9f3bc05fd39b0e1275c8d94
Instruction ID: 85a047a2136108c0033199cf6e140ce5ee14d5b8ae8ad1af52123a471491e3a4
Opcode Fuzzy Hash: 763e3f2a84824009e10225721cc63a97d173763ed9f3bc05fd39b0e1275c8d94
Instruction Fuzzy Hash: 39F06CB12447106FF760DF159C49F567699EF88750F218115F700E92D5C3F558029B68

Function 006041A3 Relevance: 4.5, APIs: 3, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0060419D,?,?,005F96A2), ref: 006041B1
TerminateProcess.KERNEL32(00000000,?,0060419D,?,?,005F96A2), ref: 006041B8
ExitProcess.KERNEL32 ref: 006041CA

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c39c3eedb2a718c1d8ee23f6aded8a253347c8932ed33292b98b8007a1e7ac5
Instruction ID: 9cac10e8e166a436b8b1391b75e1c6b4c4af00bd2c7feaae223277c29c12e1e2
Opcode Fuzzy Hash: 8c39c3eedb2a718c1d8ee23f6aded8a253347c8932ed33292b98b8007a1e7ac5
Instruction Fuzzy Hash: B9D05EB1008648BBCB262F60DD0DED93F67EF00301F048094BA09440B0CF3189E6CB84

Function 005BBB30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,?), ref: 005BBC0E

Strings

$, xrefs: 005BBB61

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LongWindow
String ID: $
API String ID: 1378638983-3993045852
Opcode ID: ddc8374bf28bab28e6663ce91512eddf682ccdcba1ec345882538684b9474d41
Instruction ID: 135c31080367d940161ca44e116013a38b0120ce411f613f26e8b6e3f8578d79
Opcode Fuzzy Hash: ddc8374bf28bab28e6663ce91512eddf682ccdcba1ec345882538684b9474d41
Instruction Fuzzy Hash: E43143712083499FEB10CF19C885BAABFF4FB88710F044919F945872A0C7F5ED488B92

Function 005C0631 Relevance: 3.3, APIs: 2, Instructions: 303registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.KERNELBASE(?,?,?,?,00000000,?,00000000,?,5D2E80A5), ref: 005C06C8
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?,?), ref: 005C06F8

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 0058CB10: FindResourceW.KERNEL32(00000000,00000100,00000006,00000000,000000FF,?,00000000,005BA070,000000FF,?,?,?,5D2E80A5,00000000,?,000000FF), ref: 0058CB4D
Part of subcall function 0058CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,000000FF,?,?,?,5D2E80A5,00000000,?,000000FF), ref: 0058CB7E
Part of subcall function 0058CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,?,5D2E80A5,00000000,?,000000FF,000000FF), ref: 0058CBB5

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ByteCharEnumMultiValueWide$FindHeapProcessResource
String ID:
API String ID: 4070800961-0
Opcode ID: 2ac6294dfbda3ace1cdd978a87eeb81865f83386ad69975fea08491d8cf31cc0
Instruction ID: 6e854848a92f17c195498f61b85690c3633958ceb211025aa40df3987ef229d3
Opcode Fuzzy Hash: 2ac6294dfbda3ace1cdd978a87eeb81865f83386ad69975fea08491d8cf31cc0
Instruction Fuzzy Hash: C9B1B371A00649DFDB04DF98C894BAEBBB9FF48320F144169E915A7391DB34AE05CFA1

Function 005CD4C0 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005CD512
EndDialog.USER32(00000000,00000001), ref: 005CD521

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 01d60314b14b5d1b7914f183a32a55d1a0288379fb1757843e81f0d4cac06158
Instruction ID: edf8a56a48b098121e8ae47c43ef8163c168736424978f8236c8614f567f7397
Opcode Fuzzy Hash: 01d60314b14b5d1b7914f183a32a55d1a0288379fb1757843e81f0d4cac06158
Instruction Fuzzy Hash: B0619B70A01644DFCB05DF68C948B58BFB5BF09324F1582ADE819EB391CB74AE01CBA1

Function 005A7C78 Relevance: 3.1, APIs: 2, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005A7D54
GetLastError.KERNEL32 ref: 005A7D65
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005A7D7B
GetExitCodeProcess.KERNELBASE(00000000,00000000), ref: 005A7D8C
CloseHandle.KERNEL32(00000000), ref: 005A7D9A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID:
API String ID: 1481985272-0
Opcode ID: 4956876183523fcd67b0c25d998cd397ab6a6e2f25f8afaa6095ccb0005f1f58
Instruction ID: c3da14bd04ed6409c339e3b3c8ead0a767d57d8216a7eb9342b51c5cebaeefcb
Opcode Fuzzy Hash: 4956876183523fcd67b0c25d998cd397ab6a6e2f25f8afaa6095ccb0005f1f58
Instruction Fuzzy Hash: 4B41A071A05A4A8BDB15CF68CC5426DBBB1FF8A330F188359E825A73D1D734AD02CB91

Function 005C41C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 005C4209

Strings

Tsc, xrefs: 005C41F3

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle
String ID: Tsc
API String ID: 2962429428-1146963369
Opcode ID: ddfde97f7024d7a62ea324424331258c17f9ab29f1e136bc0a470ca838366812
Instruction ID: ff445748e575b5cb71259f21a211895793f0a7d32f04ffdc857a3d85fa789ed9
Opcode Fuzzy Hash: ddfde97f7024d7a62ea324424331258c17f9ab29f1e136bc0a470ca838366812
Instruction Fuzzy Hash: C1218E74A05645EFDB14CFA9D945F5ABBB8FF08720F14029DE815D7390C770A904CBA1

Function 005BB780 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 005BB7F1

Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 005CCA3E
Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005CCA4D

Part of subcall function 005BBA50: GetDlgItem.USER32(?,00000002), ref: 005BBA6D
Part of subcall function 005BBA50: GetWindowRect.USER32(00000000,?), ref: 005BBA83
Part of subcall function 005BBA50: ShowWindow.USER32(00000000,00000000,?,?,?,?,005BA66A), ref: 005BBA98
Part of subcall function 005BBA50: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,005BA66A), ref: 005BBAA3
Part of subcall function 005BBA50: GetDlgItem.USER32(?,000003E9), ref: 005BBAB1
Part of subcall function 005BBA50: GetWindowRect.USER32(00000000,?), ref: 005BBAC7
Part of subcall function 005BBA50: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,005BA66A), ref: 005BBB06

Part of subcall function 005BBEA0: GetWindowLongW.USER32(?,000000F0), ref: 005BBEE7
Part of subcall function 005BBEA0: GetParent.USER32(00000000), ref: 005BBEFA
Part of subcall function 005BBEA0: GetWindowRect.USER32(?,?), ref: 005BBF13
Part of subcall function 005BBEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 005BBF26
Part of subcall function 005BBEA0: MonitorFromWindow.USER32(?,00000002), ref: 005BBF3E
Part of subcall function 005BBEA0: GetMonitorInfoW.USER32(00000000,?), ref: 005BBF54

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$ItemLongMessageMonitorSend$EnableFromInfoInvalidateParentShow
String ID:
API String ID: 2603943895-0
Opcode ID: 0a0010316c4823201ba288decdbc845ac6553ee8daf9b024abc6ccd6ab5d30a0
Instruction ID: 22a2e3150c60b120db89238a711b9876c7e5c3f7a57ec68199cf7cf017d1f371
Opcode Fuzzy Hash: 0a0010316c4823201ba288decdbc845ac6553ee8daf9b024abc6ccd6ab5d30a0
Instruction Fuzzy Hash: C11181766101095BE720DF08EC45BE67BA8EB94320F004266FC1587691D7F5E861DBE1

Function 005CCA00 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005A98C0: LoadLibraryW.KERNEL32(ComCtl32.dll,5D2E80A5,00000007,00000007,?), ref: 005A98FA
Part of subcall function 005A98C0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 005A9920
Part of subcall function 005A98C0: FreeLibrary.KERNEL32(00000000), ref: 005A99A9

Part of subcall function 005A98C0: GetSystemMetrics.USER32(0000000C), ref: 005A9960
Part of subcall function 005A98C0: GetSystemMetrics.USER32(0000000B), ref: 005A9978
Part of subcall function 005A98C0: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 005A998B

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 005CCA3E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005CCA4D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMessageMetricsSendSystem$AddressFreeImageProc
String ID:
API String ID: 852476325-0
Opcode ID: 4a27f9ca1173bbb67291e2d2b286d18bb5c953cc615e5c42741f1412a9286b89
Instruction ID: 150cae8f3d559a148b1f55f7ad1bded996a90cc98f1b468aa778da6d1012ec15
Opcode Fuzzy Hash: 4a27f9ca1173bbb67291e2d2b286d18bb5c953cc615e5c42741f1412a9286b89
Instruction Fuzzy Hash: 07F0307278071037F73011695C4BF6B664DE7C6BA1F144265FA95EB2C1ECEA6C0542E8

Function 0060D820 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00604615), ref: 0060D823
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,00604615), ref: 0060D862

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 1e8705d8bb5535fc06cbe24e39ceaf31a44a7344fe17e55df00560224ea060ea
Instruction ID: 3fd60ffa33acba445b4e1c3a50753d585b2f85ae0b46a7db3fa13c236444a09a
Opcode Fuzzy Hash: 1e8705d8bb5535fc06cbe24e39ceaf31a44a7344fe17e55df00560224ea060ea
Instruction Fuzzy Hash: 2DE0923B28AA2126D36933B9BC8EEDF1B0BDFC5675715022AF615862C2EE148C0240E5

Function 005A6150 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,006338A1,000000FF,00000000,00000000,00000000,?,?,005B83BC,006338A1), ref: 005A6168
MultiByteToWideChar.KERNEL32(00000003,00000000,006338A1,000000FF,?,-00000001,?,005B83BC,006338A1), ref: 005A619A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: eff31b046e387e2f66afe5d56219757aca1a5ac9858465a1eb1da270c3482a76
Instruction ID: 564fc90e14792cdd7c6bc49c900661a24f1e34a023f2ae859179d5073e05cd25
Opcode Fuzzy Hash: eff31b046e387e2f66afe5d56219757aca1a5ac9858465a1eb1da270c3482a76
Instruction Fuzzy Hash: 9F01C032301212AFDA10AB49DC99F1EBB5AFFD5721F204119F614EB2D1CA21681187A4

Function 005C44A0 Relevance: 2.5, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005C44C5
CoUninitialize.OLE32(00000000,?,?,?,00620B9D,000000FF), ref: 005C44F2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: b722f8e27632729dabb46bff228a3533c80a2712f28ccc7b7455576dda5458ac
Instruction ID: 47ff0fad60282d15b184a165e9d475e4e4d081bcc07f44feb54491cbc303750a
Opcode Fuzzy Hash: b722f8e27632729dabb46bff228a3533c80a2712f28ccc7b7455576dda5458ac
Instruction Fuzzy Hash: 7AF06275A08648AFD721CFA8D948F99BFF9FB09710F108699E825872D0CB355900CB50

Function 0059AFD0 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,5D2E80A5,?,?,?,0061922D,000000FF), ref: 0059B005

Part of subcall function 00598780: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00598890

Part of subcall function 005F3148: GetCurrentThreadId.KERNEL32 ref: 005F3173

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CurrentFolderInitializePathThread
String ID:
API String ID: 2098070997-0
Opcode ID: d94a0ca590c30514347847684f64b79444cbdaebf8345517d2a5479a61842d46
Instruction ID: c41633ab3912eec101110ec4bc1af393d9f8edcb2a55900c7b0c9c821baeab63
Opcode Fuzzy Hash: d94a0ca590c30514347847684f64b79444cbdaebf8345517d2a5479a61842d46
Instruction Fuzzy Hash: 9321DE71A00715AFE720DF64DC45F6BBBE9FB49B20F104A1AF92197380DB75A9008BA0

Function 005F17EC Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,005F1944,0064F7DC,?,?,?,?,?,?,?,?,005F1642,00000000,00000000,00000004), ref: 005F187E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d3a772a63f09208fb7561860e13a227057cc64f9264cf2110be80d9ac2fda026
Instruction ID: 7c0da1a3f7a4d51a23a937312974e4843044edac2926c8145629c6a6a065ddec
Opcode Fuzzy Hash: d3a772a63f09208fb7561860e13a227057cc64f9264cf2110be80d9ac2fda026
Instruction Fuzzy Hash: 9E11B17650060DEADB208E40AA54BBB3F6DFF457A4F24002AFB0167140DB788D019668

Function 005C42F1 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 005C432F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: d0252a73a25118f0f4d76f8800233fa516c9b48cc984741837f0af32e28e8795
Instruction ID: 4023fb83885532219506a08200f7f42e137d4bac177ae655ac65db675fa9a877
Opcode Fuzzy Hash: d0252a73a25118f0f4d76f8800233fa516c9b48cc984741837f0af32e28e8795
Instruction Fuzzy Hash: D3018B70608602EFC7249F64D808F4ABBA6FF84B05F00852DE808576A1CB70A852DF40

Function 005C0400 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C), ref: 005C0472

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2c3762db65bbffbc47aa982c740804c090a5e44b1bff058c59a5dc5e49fafb03
Instruction ID: 02582652cf6ab047703313141991ca66c22d54f906eb069ee90fc7dba8f17d52
Opcode Fuzzy Hash: 2c3762db65bbffbc47aa982c740804c090a5e44b1bff058c59a5dc5e49fafb03
Instruction Fuzzy Hash: D2019AB1904649EFE710DF48DC05B9AFBE8FB05720F10466AE924977C0D7F56914CB90

Function 00583620 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005F6215: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,00000000,80004005,5D2E80A5,?), ref: 005F6275

RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: a609b7556558e88741c259beaf0dc22627d9ead2d905180c514c0ecc64ea61df
Instruction ID: be97b97e88671d7f4b72336fb9ad3888c8161e84198281d16d19bfed0b9c6786
Opcode Fuzzy Hash: a609b7556558e88741c259beaf0dc22627d9ead2d905180c514c0ecc64ea61df
Instruction Fuzzy Hash: 6BF0E275648608FFCB059F04DC06F6ABBA9FB04B00F008A69B915D36A0E736A8148B54

Function 00606E40 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,006097C5,?,00000000,?,005FFA29,?,00000004,00000000,00000000,?,?,00604979), ref: 00606E75

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 64fedc312764697a9e484b48bf767b63daebf4a8de3a2d64ea97cbdd4c456c8e
Instruction ID: 3676abb7e8c47cdb616a79d9512999408ef91e711d2c847fa4fd814572005ae7
Opcode Fuzzy Hash: 64fedc312764697a9e484b48bf767b63daebf4a8de3a2d64ea97cbdd4c456c8e
Instruction Fuzzy Hash: FBF0E5369C97226EEB252675CC01BDB368A9F417A1F110220BC09D22E0DF51CC2281F4

Function 00607620 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00657000,00000080,00000002,?), ref: 00607636

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 83da01e83b0e7e247ff5a3892df9f48146b2e02743260bb1c9e934d022514fb6
Instruction ID: adbf8348b540b1672f193e1003db42b557c99d09b2273621e2fd52e9675377e0
Opcode Fuzzy Hash: 83da01e83b0e7e247ff5a3892df9f48146b2e02743260bb1c9e934d022514fb6
Instruction Fuzzy Hash: 58C08C71348308B7E7204B929C0BF4B369EAB80FA1F558110FA01E60C0E9A0EE084220

Function 005F155A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 878a4a9c63e34a196fb3a7e2ec4964d7d822ca4c0a3aabbaf5bfc5571dd7564e
Instruction ID: 31a0c91adb9591261f3dbad571f1f2d41dca301fb254af956ac47da2bb64b68d
Opcode Fuzzy Hash: 878a4a9c63e34a196fb3a7e2ec4964d7d822ca4c0a3aabbaf5bfc5571dd7564e
Instruction Fuzzy Hash: C0B01281299406FC36485258EE0AC760D4ED4D0F21732841AFE00C20C1D5844C08513D

Function 005F1550 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c0ff2a74b92141cea2b37866d628678b88559c91d23fda7407f4bcedc696b2af
Instruction ID: 54b3bf8fcfbea1620cea5cb4d149091ae5951d0f71de86221d1905142633dbe7
Opcode Fuzzy Hash: c0ff2a74b92141cea2b37866d628678b88559c91d23fda7407f4bcedc696b2af
Instruction Fuzzy Hash: 27B01285299506FC37485248EE0AC760D4ED4D0F11732451AFA00C20C1D4844C4C513D

Function 005F1546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: e63ac920e4e1f13c542bdeb18a2e37a64c31ca044ee80f107eb4b769c0595821
Instruction ID: 6ca939a876dc274835456e43057589965e697c336b04a609466c0f2c6d66a3ac
Opcode Fuzzy Hash: e63ac920e4e1f13c542bdeb18a2e37a64c31ca044ee80f107eb4b769c0595821
Instruction Fuzzy Hash: DBB01291299406FC36485348EF0AC760D8ED4D0F11B32851AFB00C20C1D4844C09513D

Function 005F1564 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 99c73028bfc00464ba6b7691b67258ef2c6b82cd4cf961b5f9e554564e8bc82d
Instruction ID: 28cda6722f4cc05d206261c006d52c4bd1d0c126a2dff5b9d56ccfb1c9467d8e
Opcode Fuzzy Hash: 99c73028bfc00464ba6b7691b67258ef2c6b82cd4cf961b5f9e554564e8bc82d
Instruction Fuzzy Hash: 61B012813AB406FC3A085248EE0AD77090EE4D0F12732441AFA01C20C1D4844C08513D

Function 005F151E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f1ca120f90d97f0acc43b7d75d1203aafffac1eb92c4e19af8c9d1fc12153359
Instruction ID: b645f72656722b0125fbba284599300fa69d4652a9a7cceb09561d4a6f022dfc
Opcode Fuzzy Hash: f1ca120f90d97f0acc43b7d75d1203aafffac1eb92c4e19af8c9d1fc12153359
Instruction Fuzzy Hash: C1B01281299406FC36585348EF0AD76090ED0D0F15732851AFB00C20C1D4944C09613D

Function 005F1514 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: e62906d08ff13060c655640a86f54db78647f0320a07e49a2a59b999acc1515d
Instruction ID: c38d73736f98cc952bae6c816579ad9a5fb7d855a38fa8b351fd82e526e9d56c
Opcode Fuzzy Hash: e62906d08ff13060c655640a86f54db78647f0320a07e49a2a59b999acc1515d
Instruction Fuzzy Hash: 64B01281299406FC36185248EE0AE77090EE0D0F15732481AFA01C20C1D8944C08613D

Function 005F150A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5d9eeacd59291ab568a08eb6460fd4db69853dc966e7bc4752462beadb4cfe70
Instruction ID: b189be221aa2aa8e60a92eb64d7b4fbd7aea7701b4e2d5e2c874bbe10001fe1b
Opcode Fuzzy Hash: 5d9eeacd59291ab568a08eb6460fd4db69853dc966e7bc4752462beadb4cfe70
Instruction Fuzzy Hash: 54B01281299406FC36085648EE0AC760A5ED0D0F31772841AFE00C20C1D4944C48513D

Function 005F1500 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 772e8a4a5672842d9350bd311ab811b51c88eddac216ef82c02f2fc8a3dbdab3
Instruction ID: 182731edb80b3135eec220891ac90710d95f837f04bcec84d6d5e7b2c5aa7454
Opcode Fuzzy Hash: 772e8a4a5672842d9350bd311ab811b51c88eddac216ef82c02f2fc8a3dbdab3
Instruction Fuzzy Hash: F9B01281299506FC3B485648EE0AC76090EE0D0F21772451AFA00C20C1D4844C8C513D

Function 005F1532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: dead88b7435d61b9ffd729e26cde7daf87bfe72c9c2150aabb3c5f3523a26637
Instruction ID: 9552545427c02337d00c165be81e88b2f04b9b0e524cb012378315b7f6125d77
Opcode Fuzzy Hash: dead88b7435d61b9ffd729e26cde7daf87bfe72c9c2150aabb3c5f3523a26637
Instruction Fuzzy Hash: 9FB01281299406FC36185248EE0AD76090ED0D0F25732841AFE00C20C1D4988C08613D

Function 005F1528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7382614dcd5a85811c7912bb8f602667428dadabb68da7f4932ddf9590000f0b
Instruction ID: e1149b98135f79b956e039c5af8fc98732c052a2effce70ab21ac058c8b985dd
Opcode Fuzzy Hash: 7382614dcd5a85811c7912bb8f602667428dadabb68da7f4932ddf9590000f0b
Instruction Fuzzy Hash: EEB01281299506FC37585248EE0AD76090ED0D0F15732451AFA00C20C1D4944C4C617D

Function 005F1541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bfc7edbdc0f3263ad16635e693ea16d32d4580e2433a76327c2066692967d209
Instruction ID: 988db5395f566a70bee49ed5b88222ab3e1fc15913c07ea810c6bca1ad25afa9
Opcode Fuzzy Hash: bfc7edbdc0f3263ad16635e693ea16d32d4580e2433a76327c2066692967d209
Instruction Fuzzy Hash: 70A01281199407FC35081240ED0AC76050DD0D0F103324809F601C008154840804103C

Function 005F157D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 44947a2df7b29b4dbe10766d4495ec4fda788d829fd60a27433abb45989829ff
Instruction ID: 988db5395f566a70bee49ed5b88222ab3e1fc15913c07ea810c6bca1ad25afa9
Opcode Fuzzy Hash: 44947a2df7b29b4dbe10766d4495ec4fda788d829fd60a27433abb45989829ff
Instruction Fuzzy Hash: 70A01281199407FC35081240ED0AC76050DD0D0F103324809F601C008154840804103C

Function 005F1573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 0c4044ebbefca616fc3dde40c421a2dd2d9c82ae08610a4dd46de4fcd0da420c
Instruction ID: 988db5395f566a70bee49ed5b88222ab3e1fc15913c07ea810c6bca1ad25afa9
Opcode Fuzzy Hash: 0c4044ebbefca616fc3dde40c421a2dd2d9c82ae08610a4dd46de4fcd0da420c
Instruction Fuzzy Hash: 70A01281199407FC35081240ED0AC76050DD0D0F103324809F601C008154840804103C

Function 005F1587 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005F14F7

Part of subcall function 005F1934: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005F19B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 335289d856d8e52fd6ce3e6761d92667cfe144a266a6db6616cf03ffe28812f0
Instruction ID: 988db5395f566a70bee49ed5b88222ab3e1fc15913c07ea810c6bca1ad25afa9
Opcode Fuzzy Hash: 335289d856d8e52fd6ce3e6761d92667cfe144a266a6db6616cf03ffe28812f0
Instruction Fuzzy Hash: 70A01281199407FC35081240ED0AC76050DD0D0F103324809F601C008154840804103C

Non-executed Functions

Function 005B2540 Relevance: 51.6, APIs: 11, Strings: 18, Instructions: 858libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,?,?,?,FF005A02,SystemFolder,0000000C), ref: 005B2756
GetSystemDirectoryW.KERNEL32(FF005A02,00000104), ref: 005B285F
GetWindowsDirectoryW.KERNEL32(FF005A02,00000104,WindowsFolder,0000000D), ref: 005B298C

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

GetWindowsDirectoryW.KERNEL32(FF005A02,00000104,WindowsVolume,0000000D), ref: 005B2ABC

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

GetModuleFileNameW.KERNEL32(00000000,FF005A02,00000104,WindowsVolume,0000000D), ref: 005B2C2C
SHGetSpecialFolderLocation.SHELL32(00000000,FF0055AA,WindowsVolume,0000000D), ref: 005B2D12
LoadLibraryW.KERNEL32(shfolder.dll), ref: 005B2DA0
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 005B2DDC
GetEnvironmentVariableW.KERNEL32(APPDATA,FF0057FA,00000104), ref: 005B2FD0
SHGetPathFromIDListW.SHELL32(?,FF005A02), ref: 005B3059
SHGetMalloc.SHELL32(FF0055AE), ref: 005B3072

Strings

System32Folder, xrefs: 005B27AB, 005B27C0, 005B27CA
ProgramFilesFolder, xrefs: 005B2EF6
00e, xrefs: 005B2DC3
ProgramFiles, xrefs: 005B2F2F
ProgramFiles64Folder, xrefs: 005B257E
SETUPEXEDIR, xrefs: 005B2BD6
WindowsVolume, xrefs: 005B2A04, 005B2A19, 005B2A23
APPDATA, xrefs: 005B2FC7, 005B2FCF
PROGRAMFILES, xrefs: 005B2FAD
Shlwapi.dll, xrefs: 005B2E17
TempFolder, xrefs: 005B2AFD
Shell32.dll, xrefs: 005B2E47
SHGetFolderPathW, xrefs: 005B2DD6
AppDataFolder, xrefs: 005B2F41, 005B2F7B
WindowsFolder, xrefs: 005B28D7, 005B28EC, 005B28F6
ProgramW6432, xrefs: 005B25D6
SystemFolder, xrefs: 005B2699, 005B26AE, 005B26B8
shfolder.dll, xrefs: 005B2D9B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressEnvironmentFileFindFromHeapLibraryListLoadLocationMallocModuleNameProcProcessResourceSpecialSystemVariable
String ID: 00e$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 700146523-2154485442
Opcode ID: 6e881cff6a21f6927abf67edf6f59469c52e468cee565d16302d88c5ba6997cf
Instruction ID: 553b1903a3b3e31b4f4f51fe329a983579c37410195220c789cd6702bfa952f5
Opcode Fuzzy Hash: 6e881cff6a21f6927abf67edf6f59469c52e468cee565d16302d88c5ba6997cf
Instruction Fuzzy Hash: 6B6225316006059BDB24EF24CC59BFA7BB2FF64714F5445A8D806A7390EB32EE45CBA0

Function 005AAAA0 Relevance: 40.8, APIs: 14, Strings: 9, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00650A8C,C0000000,00000003,00000000,00000004,00000080,00000000,5D2E80A5,00000000,00650A80,00650A68), ref: 005AAB18
GetLastError.KERNEL32 ref: 005AAB40
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 005AABC5
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 005AACF2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 005AAD8E

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 005AAE31
WriteFile.KERNEL32(00000000,0061C02D,00000002,00000002,00000000,?,0000001D), ref: 005AAEDA
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 005AAEE3
WriteFile.KERNEL32(00000000,00650864,00000000,00000002,00000000,?,0000001D), ref: 005AAF05
WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,006337E8,00000002), ref: 005AAFC4
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 005AAFCD
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 005AAF0E

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,006337E8,00000002), ref: 005AB079
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 005AB082

Strings

LOGGER->failed to create LOG at:, xrefs: 005AAB80, 005AAB92, 005AAB9C
x64, xrefs: 005AAF5E, 005AAF6A
workstation, xrefs: 005AAF6B
x86, xrefs: 005AAF55
LOGGER->Creating LOG file at:, xrefs: 005AADD6, 005AADE8, 005AADF2
LOGGER->Reusing LOG file at:, xrefs: 005AAC97, 005AACA9, 005AACB3
7c, xrefs: 005AB039
server, xrefs: 005AAF70, 005AAF78
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 005AAF94

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorFindHeapLastPointerProcessResource
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86$7c
API String ID: 611875259-3656310774
Opcode ID: 40f8ae4c25f53667a7dc94889ca3152e3b483af7e52754e08f54c122d4b60e50
Instruction ID: 390e8456ec1f6cc04b2b5e559c43848c00ba6f70dda362498a1a606ae42b5c69
Opcode Fuzzy Hash: 40f8ae4c25f53667a7dc94889ca3152e3b483af7e52754e08f54c122d4b60e50
Instruction Fuzzy Hash: 0212AD71A006059FDB10DF68CC59B6EBBB6FF44320F144258E825AB3D2DB75AE02DB91

Function 005EF400 Relevance: 32.7, APIs: 21, Instructions: 1155synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 005EF45E
GetLastError.KERNEL32 ref: 005EF469
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005EF953
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005EF997
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005EFAFE
SetEvent.KERNEL32(?), ref: 005EFE21
GetLastError.KERNEL32 ref: 005EFE2F
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005F01B9
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005F020F
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 005F0250
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005F025B
EnterCriticalSection.KERNEL32(?), ref: 005F0381
LeaveCriticalSection.KERNEL32(?), ref: 005F0418
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005F04BF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005F050F
SetEvent.KERNEL32(?), ref: 005F05AB
GetLastError.KERNEL32 ref: 005F05B9
SetEvent.KERNEL32(?), ref: 005F05CE
GetLastError.KERNEL32 ref: 005F05D8
SetEvent.KERNEL32(?), ref: 005F0608
GetLastError.KERNEL32 ref: 005F0616

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterEventLeave$ObjectSingleWait
String ID:
API String ID: 3699643388-0
Opcode ID: 623ba3d51da581205afe273cca82d5b429a289b843e96532695120f77ef1ab7c
Instruction ID: fbae2bb649ce0b3484a80742197a2f2bee1d342af7a7b7c9c4c89520ab0dcd7b
Opcode Fuzzy Hash: 623ba3d51da581205afe273cca82d5b429a289b843e96532695120f77ef1ab7c
Instruction Fuzzy Hash: AAC2CE74A087858FD764CF29C484B6AFBE1BF88304F14992EE9D993351DB74A844CF52

Function 005D9050 Relevance: 21.7, APIs: 9, Strings: 3, Instructions: 709fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?), ref: 005D949D
CloseHandle.KERNEL32(00000000), ref: 005D94AF
GetLastError.KERNEL32 ref: 005D94B9
CloseHandle.KERNEL32(FFFFFFFF), ref: 005D94F9

Strings

$, xrefs: 005D9B96
\, xrefs: 005D9167
NUMBER_OF_PROCESSORS, xrefs: 005D976F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileLast
String ID: $$NUMBER_OF_PROCESSORS$\
API String ID: 3884794734-458196154
Opcode ID: 2e15953f87df7aaa828fdf67544378e522cdd179ab7f91fc26e9078cc72785ad
Instruction ID: 68310f68c9395284bcec2b1538aac4ddf4a4a1ba8429300f53eba9de6ee4994b
Opcode Fuzzy Hash: 2e15953f87df7aaa828fdf67544378e522cdd179ab7f91fc26e9078cc72785ad
Instruction Fuzzy Hash: A2724870900669DBDB24DF28CD48BADBBF4BF44304F1481DAE489A7291DB75AE85CF90

Function 005A3B60 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 397fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,00000000), ref: 005A3BC5
PathIsUNCW.SHLWAPI(5D2E80A5,*.*,00000000), ref: 005A3C8B
FindFirstFileW.KERNEL32(5D2E80A5,?,*.*,00000000), ref: 005A3E1B
GetFullPathNameW.KERNEL32(5D2E80A5,00000000,00000000,00000000), ref: 005A3E35
GetFullPathNameW.KERNEL32(5D2E80A5,00000000,?,00000000), ref: 005A3E68
FindClose.KERNEL32(00000000,?,00000000), ref: 005A3ED0
SetLastError.KERNEL32(0000007B,?,00000000), ref: 005A3EDA

Strings

*.*, xrefs: 005A3BEF, 005A3C58, 005A3C59
2#vp1#v, xrefs: 005A3E1B
\\?\UNC\, xrefs: 005A3CAB, 005A3D83
\\?\, xrefs: 005A3D99, 005A3E03

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FindPath$CloseFullName$ErrorFileFirstLast
String ID: 2#vp1#v$*.*$\\?\$\\?\UNC\
API String ID: 539638818-402361260
Opcode ID: 8d1fd6a771963c962c9e038168d674a83fbdd3586df79fbc1ba45d00fb16076f
Instruction ID: 00b34f1dc04710dc8ba516db2c7373cc805142eaa0670205f7604c87e24ddd57
Opcode Fuzzy Hash: 8d1fd6a771963c962c9e038168d674a83fbdd3586df79fbc1ba45d00fb16076f
Instruction Fuzzy Hash: E0E1CF70A006029FCB14DF68C859B6EBBB2FF85318F14416CE912AB391EB75AE45CB50

Function 005CAC60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 214fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,5D2E80A5,?,?,00000000), ref: 005CAD09
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 005CAD24

Strings

2#vp1#v, xrefs: 005CAD09, 005CB25A
@9c, xrefs: 005CB19F
p2#v3#v, xrefs: 005CAD24, 005CB288, 005CB31E
0!X, xrefs: 005CAD0F, 005CB33A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileFind$FirstNext
String ID: 2#vp1#v$0!X$@9c$p2#v3#v
API String ID: 1690352074-578336468
Opcode ID: 9f3c6ad43327c1b6c6227c218bc088f62dbeb51511502ebce501d061efe6ac90
Instruction ID: 29a827619afd2551da32ed2b980d8fcfdcc9c660e956722e402e037be3fee1fd
Opcode Fuzzy Hash: 9f3c6ad43327c1b6c6227c218bc088f62dbeb51511502ebce501d061efe6ac90
Instruction Fuzzy Hash: AE817971D00689DFEB10DFA8C899BEDBBB5FF48324F148159E815A7291EB349A09CB50

Function 005D7CA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 200libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00000000), ref: 005D7CCD
GetProcessAffinityMask.KERNEL32(00000000), ref: 005D7CD4
GetSystemInfo.KERNEL32(?), ref: 005D7D55
GetModuleHandleA.KERNEL32 ref: 005D7DA4
GetProcAddress.KERNEL32(00000000), ref: 005D7DAB
GlobalMemoryStatus.KERNEL32(?), ref: 005D7E05

Strings

kernel32.dll, xrefs: 005D7D64
@, xrefs: 005D7D9C
GlobalMemoryStatusEx, xrefs: 005D7D5F
, xrefs: 005D7DFC

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 3120231856-802862622
Opcode ID: 80ad9b7ecbc8d428d6c87d0b7426ad0363a2ffa06c7804043a74ef8a3be9e49e
Instruction ID: 632c71d040afc0774b9f2c9421e3f20e0fe9389ae37ef93fd1e3532c08bcd238
Opcode Fuzzy Hash: 80ad9b7ecbc8d428d6c87d0b7426ad0363a2ffa06c7804043a74ef8a3be9e49e
Instruction Fuzzy Hash: EC718CB1A083118FD718CF29D88475ABBE6BF88714F05892EE859CB351E774D904CB86

Function 005A2720 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000060,5D2E80A5,8007000E,00000000,?,?,?,?,?,?,?,?,0061A915,000000FF), ref: 005A2799
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?,0061A915,000000FF), ref: 005A27AC
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0061A915,000000FF), ref: 005A27CC
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,0061A915,000000FF), ref: 005A27E4

Part of subcall function 005A0A20: GetLastError.KERNEL32(5D2E80A5,00000000,00615110,000000FF,?,8007000E), ref: 005A0A42

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0061A915,000000FF), ref: 005A28C5

Strings

Module_Raw, xrefs: 005A2C6F
REGISTRY, xrefs: 005A2D0F
Module, xrefs: 005A2C16

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: Module$Module_Raw$REGISTRY
API String ID: 328770362-549000027
Opcode ID: 969045c40ffe68096d079ad57aa5bf176911331a978eafb9b97c6f6d5804f87c
Instruction ID: 0f4574e0a207d06127367c7ee40fe1489a938443e1fccee723fed4ec2c637eb5
Opcode Fuzzy Hash: 969045c40ffe68096d079ad57aa5bf176911331a978eafb9b97c6f6d5804f87c
Instruction Fuzzy Hash: F651D2B190464AEFDB20DF68CC46BEE7FB9FF85710F104129F905A7280DB389A458B65

Function 005EDA30 Relevance: 16.8, APIs: 11, Instructions: 273synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 005EDA77
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EDA87
GetLastError.KERNEL32 ref: 005EDA98
ResetEvent.KERNEL32(?), ref: 005EDAB8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EDAC8
GetLastError.KERNEL32 ref: 005EDAD9
GetLastError.KERNEL32 ref: 005EDB1A
SetEvent.KERNEL32(?), ref: 005EDB56
GetLastError.KERNEL32 ref: 005EDB60
WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 005EDBA8
GetLastError.KERNEL32 ref: 005EDBB3

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast$CreateReset$ObjectSingleWait
String ID:
API String ID: 3708806560-0
Opcode ID: de64f35cd2f0a06916d320111e1bc5f69cc5c6f1438aeb7e6435eb9798b2f382
Instruction ID: 1537c4017a84fe2b666085704deb35f5487ca4ef28fc38c9267c2e34ff856f68
Opcode Fuzzy Hash: de64f35cd2f0a06916d320111e1bc5f69cc5c6f1438aeb7e6435eb9798b2f382
Instruction Fuzzy Hash: 8291C471304A868FE72D8B2BD844B267BF6FB84351F25452DE597C72A1EB71EC41CA20

Function 005ADEC0 Relevance: 16.4, APIs: 7, Strings: 2, Instructions: 603COMMON

Download Yara Rule

APIs

Part of subcall function 005F46AF: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46BA
Part of subcall function 005F46AF: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46F4

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 005AE2EA
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 005AE2F1
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 005AE305
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 005AE30C

Strings

F^Z, xrefs: 005AE31B
Error, xrefs: 005AE62B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ConsoleExclusiveHandleLock$AcquireAttributeBufferInfoReleaseScreenText
String ID: Error$F^Z
API String ID: 719367182-1778321922
Opcode ID: 151cf5bd927334b4ae685440a63f8a180bec62f2cb0f931a5df82e656ad92d9c
Instruction ID: 7d3a628b3a649dfac27142e2a19560cbd5674ba81fd53b9e42f139d72152787f
Opcode Fuzzy Hash: 151cf5bd927334b4ae685440a63f8a180bec62f2cb0f931a5df82e656ad92d9c
Instruction Fuzzy Hash: 32428E70D0021ADFDB24DF64CC59BAEBBB5BF49314F104299E419A7291EB74AA84CF90

Function 0058C3A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175windowshutdownCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(5D2E80A5,?,?), ref: 0058C402
MessageBoxW.USER32(00000000,?,?,00000044), ref: 0058C40D
GetCurrentProcess.KERNEL32 ref: 0058C4FB
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0058C508
CloseHandle.KERNEL32(00000000), ref: 0058C528
GetLastError.KERNEL32 ref: 0058C56D
ExitWindowsEx.USER32(00000006,80040002), ref: 0058C57E
CloseHandle.KERNEL32(00000000), ref: 0058C59E

Strings

SeShutdownPrivilege, xrefs: 0058C53D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseHandleProcess$CurrentErrorExitForegroundLastMessageOpenTokenWindowWindows
String ID: SeShutdownPrivilege
API String ID: 1440564136-3733053543
Opcode ID: 2940c606c85f3a9222623e267b41ea137a05826ce789826128fe257125d17a02
Instruction ID: c320b144a118c907d9a15c57f0406eea0478c644e387c6dab1305f6168bc5fe9
Opcode Fuzzy Hash: 2940c606c85f3a9222623e267b41ea137a05826ce789826128fe257125d17a02
Instruction Fuzzy Hash: 96617D70A006099BDB10EFA8DC59BADBFB5FB08324F145259E811B72D0DB74AD46DBA0

Function 005ADDB0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 495COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 005AE2EA
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 005AE2F1
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 005AE305
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 005AE30C
GetStdHandle.KERNEL32(000000F5,?,?,00000000,?,00000000,006337E8,00000002,?,?), ref: 005AE3CA
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 005AE3D1

Strings

F^Z, xrefs: 005AE31B
*** Stack Trace (x86) ***, xrefs: 005ADE05

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ConsoleHandle$AttributeText$BufferInfoScreen
String ID: *** Stack Trace (x86) ***$F^Z
API String ID: 575076100-3150557717
Opcode ID: d47dcac1d6f47d11ded3ce3d17ffc743c3233202690c28a6dda1815b1446a647
Instruction ID: 5a977f784f1b11ee2c00fef4655a80f329ba7d85d4602dd0cbb1cd33796012ba
Opcode Fuzzy Hash: d47dcac1d6f47d11ded3ce3d17ffc743c3233202690c28a6dda1815b1446a647
Instruction Fuzzy Hash: 2022AD7090021ADFDB24DF68CC59BEEBBB5FF49314F104299E415A7291EB74AA84CF90

Function 005AF270 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 352fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,FF005A36,5D2E80A5,00000000,00000000,00000000), ref: 005AF2CB
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,FF005C3E), ref: 005AF444
Wow64DisableWow64FsRedirection.KERNEL32(FF0059FA), ref: 005AF4F1
CopyFileW.KERNEL32(?,?,00000000), ref: 005AF513
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 005AF59E
DeleteFileW.KERNEL32(?,5D2E80A5,?,00000000,00614F60,000000FF,FF005E5A,80004005,FF005A1E), ref: 005AF6AD

Strings

shim_clone, xrefs: 005AF43E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderNamePathRevertTemp
String ID: shim_clone
API String ID: 3507832535-3944563459
Opcode ID: c41528cd8d94d1e51ca4062eb3d38bffb6c9e7c5afcbaede4b606c5bf25508de
Instruction ID: d7c1d48626397866248ffbc8c0b2081e08aeeb6fe4f7315e0eb0924878f26121
Opcode Fuzzy Hash: c41528cd8d94d1e51ca4062eb3d38bffb6c9e7c5afcbaede4b606c5bf25508de
Instruction Fuzzy Hash: C3C1D070A006598FCF24DF68CC45BAE7BB4FF4A300F1440A9E90697292EB349E45CB55

Function 005C9440 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

2#vp1#v, xrefs: 005C9628
p2#v3#v, xrefs: 005C9650, 005C9740
0!X, xrefs: 005C9634, 005C97A0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileFindFirstHeapProcess
String ID: 2#vp1#v$0!X$p2#v3#v
API String ID: 284326027-3019436278
Opcode ID: 0b7bcceec35a4ba6c70894c435978b4a4c9925fbf3f63e6e97590f52f18edf98
Instruction ID: 2c113e9dbbbc4e5d2184b58634e70305d24a681cf6637f972e6ea5f91c6d9eba
Opcode Fuzzy Hash: 0b7bcceec35a4ba6c70894c435978b4a4c9925fbf3f63e6e97590f52f18edf98
Instruction Fuzzy Hash: B0918A71901619DFDB20DF68CC4DBA9BBB5FF49320F248299E818A7291DB309E45CF91

Function 005C80E0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 465COMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

GetLogicalDriveStringsW.KERNEL32(00000064), ref: 005C8320
GetDriveTypeW.KERNEL32(FF005B92), ref: 005C833A
Wow64DisableWow64FsRedirection.KERNEL32(FF005B6E,FF005B46), ref: 005C83E3
Wow64RevertWow64FsRedirection.KERNEL32(?,FF005B46), ref: 005C8686

Strings

]%!, xrefs: 005C82B8
\c, xrefs: 005C82E4

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!$\c
API String ID: 4157823300-3251890830
Opcode ID: 125a6ef797545bf28a145d07862b7140c5abdd2b50e6f92adac12947d7a63860
Instruction ID: 95d86b65dd0c613bc1eceb7febbd8d4cf6d924405e86a25cce20dab015db34bf
Opcode Fuzzy Hash: 125a6ef797545bf28a145d07862b7140c5abdd2b50e6f92adac12947d7a63860
Instruction Fuzzy Hash: E402AF3190065A8FDB24DF68CC98BADBBB5BF44310F1485EDD91AA7281DB709E85CF90

Function 00581950 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 207fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,FF00598A), ref: 00581A49
FindClose.KERNEL32(?,?), ref: 00581C12

Strings

2#vp1#v, xrefs: 00581A49
p2#v3#v, xrefs: 00581BB3
0!X, xrefs: 005819A1, 00581C03

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2#vp1#v$0!X$p2#v3#v
API String ID: 2295610775-3019436278
Opcode ID: 95f5f6635cded6da87cc6267427f0e8ba0072304da75dce4e16d2e1c446b5544
Instruction ID: e06afe834ccb53b02f8a7a49dd47cec524a5556daa0fa1e9099f9c561c012edb
Opcode Fuzzy Hash: 95f5f6635cded6da87cc6267427f0e8ba0072304da75dce4e16d2e1c446b5544
Instruction Fuzzy Hash: 19918D70D01609DBDB24EF64C999BEEBBB9FF44300F108299D815B7291EB706E85CB50

Function 005E3190 Relevance: 10.6, APIs: 6, Instructions: 1566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc5b24ee5b51c8dcf27c66190c15f5a076e4cf2f34421ad3f97f2208b9a8dcd
Instruction ID: 73c926c1b32e8228a83aad038561a3f1b55a6d58eea23feb2d7cd996bc0b8cb1
Opcode Fuzzy Hash: 6fc5b24ee5b51c8dcf27c66190c15f5a076e4cf2f34421ad3f97f2208b9a8dcd
Instruction Fuzzy Hash: B6E27870A00299DFDB14DF69C898BAEBFB5BF48304F148199E845AB391C774AE41CF90

Function 00610D6D Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1424COMMON

Download Yara Rule

APIs

__libm_sse2_log10_precise.LIBCMT ref: 00610F99

Strings

1#INF, xrefs: 00610EA3
1#SNAN, xrefs: 00610E79
1#IND, xrefs: 00610E72
1#QNAN, xrefs: 00610E80

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: __libm_sse2_log10_precise
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 3323863637-2761157908
Opcode ID: 501df92cee56bed49c1013727d10da11590c3ea8e30e015a0010e847bd85b183
Instruction ID: c10144150c9e325fbed53a0bbe8311d42bdf0923fbfaad12fe05cd2670f4e95d
Opcode Fuzzy Hash: 501df92cee56bed49c1013727d10da11590c3ea8e30e015a0010e847bd85b183
Instruction Fuzzy Hash: 7CC24E72E042298FDB65CE28DD447EAB7B6EB49304F1841EAD94DE7240E774AEC18F41

Function 005F1EBE Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,005F1DDA,00000000,?,005F1F72,00000000), ref: 005F1EC0
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,005F1F72,00000000), ref: 005F1EE7
HeapAlloc.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1EEE
InitializeSListHead.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1EFB
GetProcessHeap.KERNEL32(00000000,00000000,?,005F1F72,00000000), ref: 005F1F10
HeapFree.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1F17

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: caeb1474f9fb188d4bc2fe37f2458fbd81ae3f8dc4ee619e1d07ca68af01fa76
Instruction ID: 477bf234c09d4b26763a494f711f6735b272acd36d74492ff791a515976ef96f
Opcode Fuzzy Hash: caeb1474f9fb188d4bc2fe37f2458fbd81ae3f8dc4ee619e1d07ca68af01fa76
Instruction Fuzzy Hash: 2EF04F75205A01DFD7209F79AC08F267ABABB95B52F049429FA45D7250EB3488068B61

Function 005C9880 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,FF0059C6), ref: 005C9916
FindClose.KERNEL32(00000000), ref: 005C9A99

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Strings

%d.%d.%d.%d, xrefs: 005C9A12
2#vp1#v, xrefs: 005C9916
0!X, xrefs: 005C991E, 005C9A8A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: 2#vp1#v$%d.%d.%d.%d$0!X
API String ID: 1673784098-3398128289
Opcode ID: 38646bd6c2bbf40dec1e39864d3ae85f0375a17dd994cf6ed2b67eaa7667dc19
Instruction ID: 23c344819bca52c1a8b08cdddd14b26cc2e45d4bd9b2343b31865f42f6b544b6
Opcode Fuzzy Hash: 38646bd6c2bbf40dec1e39864d3ae85f0375a17dd994cf6ed2b67eaa7667dc19
Instruction Fuzzy Hash: BD7196709052199FCF20EF68CC4DBADBBB5BF44314F1082D9E819AB291DB359A84CF80

Function 0060FA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0060FD5D,00000002,00000000,?,?,?,0060FD5D,?,00000000), ref: 0060FADE
GetLocaleInfoW.KERNEL32(?,20001004,0060FD5D,00000002,00000000,?,?,?,0060FD5D,?,00000000), ref: 0060FB07
GetACP.KERNEL32(?,?,0060FD5D,?,00000000), ref: 0060FB1C

Strings

OCP, xrefs: 0060FA99
ACP, xrefs: 0060FA63

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e093014d9e1f8819db9dae96ca81d086c5f180eb76419a9ee313f8be84e3dc82
Instruction ID: 464ac2a28963d4c4874af2e7943416fb327f78669c82ba6b3bae7a0e6a180abe
Opcode Fuzzy Hash: e093014d9e1f8819db9dae96ca81d086c5f180eb76419a9ee313f8be84e3dc82
Instruction Fuzzy Hash: F321A132784101EAE7388F64D901AD777ABEF54B50B5A8434E90EDBB90E732DE41C790

Function 0060FC27 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0060FD2F
IsValidCodePage.KERNEL32(00000000), ref: 0060FD6D
IsValidLocale.KERNEL32(?,00000001), ref: 0060FD80
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0060FDC8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0060FDE3

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: f8e62382cb5f4c6696f99004ceb10406ce3ac6c81ef0b3fd6a517a2dbe7bf193
Instruction ID: f56db0ed800692b0d523ca03d061c83839878cdde55d12fcd829a6ab3f7105c4
Opcode Fuzzy Hash: f8e62382cb5f4c6696f99004ceb10406ce3ac6c81ef0b3fd6a517a2dbe7bf193
Instruction Fuzzy Hash: CA516171A40609ABEB74DFA4CC45AFF77BABF44700F140479E901E76D1EBB09A418BA1

Function 0060F284 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 271COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,?,?,?,?,00605626,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0060F34D
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00605626,?,?,?,00000055,?,-00000050,?,?), ref: 0060F384
GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 0060F4F0

Strings

utf8, xrefs: 0060F456

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: b511438109cc96c2604eca6d3d61f7b491fb079a9a1ad6bbe7f0bc7890a6881e
Instruction ID: bebdf08c69acde5e6322672b5e18d8334fe0d82513079094e686d5d6ed194c24
Opcode Fuzzy Hash: b511438109cc96c2604eca6d3d61f7b491fb079a9a1ad6bbe7f0bc7890a6881e
Instruction Fuzzy Hash: 5A71E871A80206AAEB3CAB348C46BBB73AAEF54710F140439F905DB6C2E675ED418691

Function 005CA8A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005CA97A

Strings

\, xrefs: 005CA91E
\, xrefs: 005CA8FC
\, xrefs: 005CA8F4

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 79d0b7e15ec382b11bee3d40ad8f61dfca9e4f414162bd4784efe6467acae54e
Instruction ID: 63ee9965aecd23736aa2f563e875b1b903816be2468bc38c6e1991f5001a79b9
Opcode Fuzzy Hash: 79d0b7e15ec382b11bee3d40ad8f61dfca9e4f414162bd4784efe6467acae54e
Instruction Fuzzy Hash: D641D322D042598ECB309FA48442FABBFF4FF95358F168A1EE8D893041E3708D848387

Function 005C0E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?), ref: 005C0E9F
FindClose.KERNEL32(00000000), ref: 005C0EEC

Strings

2#vp1#v, xrefs: 005C0E9F
0!X, xrefs: 005C0EA7, 005C0EDD

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2#vp1#v$0!X
API String ID: 2295610775-2211160475
Opcode ID: 4d583b0790c1435ece5a9d36f456e0d181fe1dcd317cce59a22b1db47548beb3
Instruction ID: 71fbc9c00bce6f9b8818805eee3a005a0f6058c7a56265204323803b1f84247c
Opcode Fuzzy Hash: 4d583b0790c1435ece5a9d36f456e0d181fe1dcd317cce59a22b1db47548beb3
Instruction Fuzzy Hash: 42418C31A05219CFCB20DF68D858BA9BBB5FB45320F144299E819A73D1DB359E45CF90

Function 005A7DF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,5D2E80A5,?,00000000), ref: 005A7E56
FindClose.KERNEL32(00000000), ref: 005A7EBE

Strings

2#vp1#v, xrefs: 005A7E56
0!X, xrefs: 005A7E5E, 005A7EA6

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2#vp1#v$0!X
API String ID: 2295610775-2211160475
Opcode ID: 412b5f467f319505975f2a80f88fd8e13dea835d5c8d2587edd2ef6943ea7a0d
Instruction ID: 13f7efe24cbee63a258dc3dc38dbc901e246d4af81a3f7140ef7166a2d917105
Opcode Fuzzy Hash: 412b5f467f319505975f2a80f88fd8e13dea835d5c8d2587edd2ef6943ea7a0d
Instruction Fuzzy Hash: D721F0729086189BCB20DF68CC4DBADBBB9FB49320F140399A429A32D0DB755E04CF40

Function 005F5342 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005F534E
IsDebuggerPresent.KERNEL32 ref: 005F541A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005F5433
UnhandledExceptionFilter.KERNEL32(?), ref: 005F543D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 86eaa3a68bd6c731d97e1fff24713f62decf3d59230378fd686fb78c92655421
Instruction ID: 45254e2c1a713cf5f450f37dcb667354191433abb1dd95921054d36860eef887
Opcode Fuzzy Hash: 86eaa3a68bd6c731d97e1fff24713f62decf3d59230378fd686fb78c92655421
Instruction Fuzzy Hash: 02311875C0561D9BDF20DF64D949BCDBBB8BF08304F1041AAE60CAB250E7749B858F45

Function 005D4DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

GetLocaleInfoW.KERNEL32(00000000,00000002,006337C0,00000000), ref: 005D4E41
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 005D4E7D

Strings

%d-%s, xrefs: 005D4E87

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: 0f0a8315f23a45eef0d1c6408c2d771079e922448ccc63d4b31b9feac039b1f2
Instruction ID: 2eb2fb5c444a05d7084b60bd1562c82df413b19e673806de506e14432a0008da
Opcode Fuzzy Hash: 0f0a8315f23a45eef0d1c6408c2d771079e922448ccc63d4b31b9feac039b1f2
Instruction Fuzzy Hash: 1F31BC71A00619ABDB00DF98CC4ABAEBBB9FF44724F104159E515A7391DB755A01CB90

Function 005F16FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00000000,0000001C,?,?,?,?,?,?,?,005F1642,00000000,00000000,00000004,0064F7DC,005F1944), ref: 005F170E
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,005F1642,00000000,00000000,00000004,0064F7DC,005F1944), ref: 005F1729

Strings

D, xrefs: 005F171D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 81dbce9b1ec9c8f69cb15719ede0c4d89749217ef5f6000aec1bb015c2dcb0d3
Instruction ID: 15848ec858582154c281e21ef536e91d027d4e64b1f542e37527829433364593
Opcode Fuzzy Hash: 81dbce9b1ec9c8f69cb15719ede0c4d89749217ef5f6000aec1bb015c2dcb0d3
Instruction Fuzzy Hash: 2C01FC3260050D9BCB14EE25DC05BEE7BAAEFC4324F0CC121ED1DD7140D638D9118A80

Function 005FA0D0 Relevance: 5.0, APIs: 3, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7471089b39a0c606a1ead41c5972f56f77b679b77ddc466d9b28eb3e4bb7b9c1
Instruction ID: fa19598090172c431380d20b4ac9204534788c6368baf75af385d529f28bda9f
Opcode Fuzzy Hash: 7471089b39a0c606a1ead41c5972f56f77b679b77ddc466d9b28eb3e4bb7b9c1
Instruction Fuzzy Hash: 88025DB1E002199FDF14CFA8D884AADFBB1FF88314F158269D919AB345D734A941CF92

Function 0060F6C0 Relevance: 4.7, APIs: 3, Instructions: 210COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078), ref: 0060F717
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 0060F75B
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 0060F825

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e2ee569aa68a6f1f848c5e3eeed6c034ec9b68d1e4132cdb444011b0c23b54fb
Instruction ID: bd94829e0657eb8fa9dfdc2a37a07386c46258366b13090b927de6a399d2330e
Opcode Fuzzy Hash: e2ee569aa68a6f1f848c5e3eeed6c034ec9b68d1e4132cdb444011b0c23b54fb
Instruction Fuzzy Hash: CA615C719802169FEB7C9F24C886BBB77AAEB44300F208079E905C6A95EB74D985DB50

Function 005815F0 Relevance: 4.7, APIs: 3, Instructions: 204COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 005EE3A2
GetVersionExW.KERNEL32(00000114), ref: 005EE3F1
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 005EE409

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: abe3fcbefd53cbe4d904426c9a7fde9e4c89b8bb29280272efa32d6d0ca57a44
Instruction ID: 47e7a5129eebfb9242083f3e3329aa2136f445309c9c003d7809b6899b642118
Opcode Fuzzy Hash: abe3fcbefd53cbe4d904426c9a7fde9e4c89b8bb29280272efa32d6d0ca57a44
Instruction Fuzzy Hash: 82614831B103604BE74CCF2EDC856AABFD6EBC9342F044A3EE4D6C6290D678C545CAA0

Function 005F96A3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005F979B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005F97A5
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 005F97B2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 49304fb0fb0fa22b069b35af8098a30145103baaf5460fe334fb2b047597e458
Instruction ID: b537d44b230e3a18c40b1622743b8c2d4c3aaab1db7cd9a0e5c2a1f0e9ddd05b
Opcode Fuzzy Hash: 49304fb0fb0fa22b069b35af8098a30145103baaf5460fe334fb2b047597e458
Instruction Fuzzy Hash: 8B31E37495122D9BCB21EF28DC89B9CBBB8BF48710F5041EAE50CA7290E7749F858F44

Function 005A9710 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000007,00000400,?,00000000,00000000,5D2E80A5,00000000,?), ref: 005A975B
GetLastError.KERNEL32 ref: 005A9765

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 1d334de26afacbc94b22bc455950bb77512c87e01afb5b95bf9ff3a2eaa6009a
Instruction ID: 3548d6a1638cd33a0b7cc0ebd4b5651c6f0552ac968a27f4d891f337a4d233f6
Opcode Fuzzy Hash: 1d334de26afacbc94b22bc455950bb77512c87e01afb5b95bf9ff3a2eaa6009a
Instruction Fuzzy Hash: C541D075A042169FDB10DF98CC467AEBBF4FB85714F14016EE919E7380EBB59A008B90

Function 005F4355 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,005F4122,?,?,?,?,005F40E1,000000FF,?,?,?,005F41F4,00000000,?), ref: 005F438D
GetSystemTimeAsFileTime.KERNEL32(?,5D2E80A5,?,?,00626272,000000FF,?,005F4122,?,?,?,?,005F40E1,000000FF,?), ref: 005F4391

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 00486202af87bc2e7132bec42d829108d22c2061a91aa61d9ff8b85af037b892
Instruction ID: 4ff938f355930389dc595a41d5fa41953860824b789c6ba6e7a30a1862a36a4d
Opcode Fuzzy Hash: 00486202af87bc2e7132bec42d829108d22c2061a91aa61d9ff8b85af037b892
Instruction Fuzzy Hash: D3F06536908958EFCB119F54DC45F5EBBAAFB09B50F004626EC12D7790DB75A9009F90

Function 0058CEA0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 0058CEA5
SetUnhandledExceptionFilter.KERNEL32(Function_00025C80), ref: 0058CEBB

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 6d6d598ac993a905a41073795961a08b2f1f86fa7c8ea77f5c23e77cc0d994d4
Instruction ID: d293d17c2de8e0742a6ed49fbc68fa0d18b366d1051163ec6b12662562c4bbcd
Opcode Fuzzy Hash: 6d6d598ac993a905a41073795961a08b2f1f86fa7c8ea77f5c23e77cc0d994d4
Instruction Fuzzy Hash: C0D022319893415AFB18A3709D0EF193E86371230EF083005EC02213A2E2B45C408323

Function 00585930 Relevance: 1.9, Strings: 1, Instructions: 682COMMON

Download Yara Rule

Strings

lY, xrefs: 00585940

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID: lY
API String ID: 0-2569190583
Opcode ID: 865b8410cbbeb498fa4215f7c3dd7fb49b7c5e723d3f428aa43bcfd74340cb25
Instruction ID: 84ffa047e82417b945b0992721242a6ea12da3dbc9c425e20014a5582dbdc7ab
Opcode Fuzzy Hash: 865b8410cbbeb498fa4215f7c3dd7fb49b7c5e723d3f428aa43bcfd74340cb25
Instruction Fuzzy Hash: 3722C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 006091C0 Relevance: 1.8, APIs: 1, Instructions: 263COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,00000008,?,?,?,006091AE,?,?,00000008,?,?,0061449E,00000000), ref: 00609408

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 33f9d871bbf8236e0f1028fe5948410bfdc97e3e6b804669c287d8285bdc836f
Instruction ID: c7cda75669338f983c0037bc47e81200cb1b8549f26782bf6b29fbe2f6122c56
Opcode Fuzzy Hash: 33f9d871bbf8236e0f1028fe5948410bfdc97e3e6b804669c287d8285bdc836f
Instruction Fuzzy Hash: 0EB129315506099FD719CF28C496BA67BE2FF45364F248658E89A8F3E2C335E982CB50

Function 005F4E00 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005F4E16

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: dc51f88a32c1718824286766eef3fd951bbd2d1ec2f64cdb42aa21b93794220e
Instruction ID: ef4d8aca74080d3153dce5bce562c0e9666b4d5eced576d0fb93a96a2c177e14
Opcode Fuzzy Hash: dc51f88a32c1718824286766eef3fd951bbd2d1ec2f64cdb42aa21b93794220e
Instruction Fuzzy Hash: 84A1AEB9900605CFDB28CF58D881AAEBBF2FB49710F14913AD615EB390D3799854CF60

Function 0060CCF0 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacd3de15828a3891de01f10c648a9135a613c4d0b416b71c5e0619c6e910a40
Instruction ID: 0514437a6aa082e98f8174775fd41f7da6c2b32bced3a049dac5ad6707b6fcad
Opcode Fuzzy Hash: cacd3de15828a3891de01f10c648a9135a613c4d0b416b71c5e0619c6e910a40
Instruction Fuzzy Hash: C231C97590021DAFDB28DFA8CC89DEB7B7EEF84364F144668F90597285E631AD40CB50

Function 0060F920 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 0060F970

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5b9654ab81d6c8e19950cf2c7b7b70213561272b2b6e6ac0036569ee60fd664b
Instruction ID: 84eb0dd135011d79b3ae7d4b7ced1346d537117148b02b0bae3d4b7f6323c404
Opcode Fuzzy Hash: 5b9654ab81d6c8e19950cf2c7b7b70213561272b2b6e6ac0036569ee60fd664b
Instruction Fuzzy Hash: 27218071A90206BBEB289B24DC46BBB77A9FF44300F10007AFD01C6591FB74ED408B90

Function 0060F58E Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(0060F6C0,00000001,00000000,?,-00000050,?,0060FD03,00000000,?,?,?,00000055,?), ref: 0060F600

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: fb75261cc27174e5753ca151bc9cf44149dd3e1105630ac721b252fd5446ea30
Instruction ID: ec3155ce4afc9f1d73b9082aed5a41d138c77898b0cbe1a083440fd7c600c07c
Opcode Fuzzy Hash: fb75261cc27174e5753ca151bc9cf44149dd3e1105630ac721b252fd5446ea30
Instruction Fuzzy Hash: 251125366407019FDB2C9F38C8916BBB792FF84358B19483DE98687B80D772A943CB40

Function 0060FB4B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0060F9C6,00000000,00000000,?), ref: 0060FB77

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 692c761245e962b271edba1fa1f7b06e963aec75a948252c4037bc4548c4da73
Instruction ID: da5f207ffe419773c76ea7c261f1b88ed14ae0d0318f405c8797e45ca31e7f82
Opcode Fuzzy Hash: 692c761245e962b271edba1fa1f7b06e963aec75a948252c4037bc4548c4da73
Instruction Fuzzy Hash: C901DB33A40112ABDB3C5B25C856AFB775ADB40354F15487CEC06E36C0DBB4ED42C990

Function 0060F4A0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 0060F4F0

Strings

utf8, xrefs: 0060F456

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: utf8
API String ID: 2299586839-905460609
Opcode ID: 9d3cb79e01ce7cc3eb7ced80c2327df42f40f22f63d8819d92f547acd389842f
Instruction ID: 6d9b0eb45be9cb07e7a2fbe8a221015324fca67e8891cf18b6795fc8bc91aa90
Opcode Fuzzy Hash: 9d3cb79e01ce7cc3eb7ced80c2327df42f40f22f63d8819d92f547acd389842f
Instruction Fuzzy Hash: F1F0A432A81204EBE724AB24DC4AFBB73E9EB44315F100079FA02D7181EAB4AD458690

Function 0060F629 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(0060F920,00000001,?,?,-00000050,?,0060FCCB,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0060F673

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: dfb345597053dfd2eb35acf5baddd8f2c66f05ce5bc25a19f2da5fe52712c9cf
Instruction ID: 844b0b32bcb03c561d5d4c92b124d310e0a92f7dc839606988c71ba60ef3e027
Opcode Fuzzy Hash: dfb345597053dfd2eb35acf5baddd8f2c66f05ce5bc25a19f2da5fe52712c9cf
Instruction Fuzzy Hash: 06F0C2362403045FDB285F39D882ABB7B96EF85768B06453CF9458BAE0D6B2AC42C654

Function 0060F543 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(0060F4A0,00000001,?,?,?,0060FD25,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0060F57A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 952eb7000c6fee414da313dfddbf3a501ec70ab9da8cfceff8095698e4660751
Instruction ID: 738cd8e0373eb12708c95f6b6b87657c20050435e891eb39995cb913e0590f7f
Opcode Fuzzy Hash: 952eb7000c6fee414da313dfddbf3a501ec70ab9da8cfceff8095698e4660751
Instruction Fuzzy Hash: 98F0553A34020457CB289F39CC15BABBF96EFC1720B0A4068FE058B681C6759843C790

Function 00606EC2 Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00602301: EnterCriticalSection.KERNEL32(-006500C0,?,006048AB,00583AB6,0064ACC8,0000000C,00604B87,?), ref: 00602310

EnumSystemLocalesW.KERNEL32(00606EA0,00000001,0064ADE8,0000000C,00607387,00000000), ref: 00606EF4

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1225e7373e4488909a6df92359169d6f66bdacf317a2cb4d8690a31d5892b66b
Instruction ID: 9a194b4ba53f7a45fc80ab95b4632e12fc37d834d71bbf68b1da81f1a77f0160
Opcode Fuzzy Hash: 1225e7373e4488909a6df92359169d6f66bdacf317a2cb4d8690a31d5892b66b
Instruction Fuzzy Hash: D1F04936A80705DFE704DF98E446B9E7BB2EB44726F10401AF5119B2E0D7B99900CB40

Function 006073C9 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,006061AA,?,20001004,00000000,00000002,?,?,006057A8), ref: 006073FD

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b28d256a5cd33cd1b49d4030fc571ded3c4e0625a8f975e95a18b17ea0ad77b8
Instruction ID: 4cfac92ee74a45d274eeb1a67369eae859238034a47b2c7dbdc1011cd53994ad
Opcode Fuzzy Hash: b28d256a5cd33cd1b49d4030fc571ded3c4e0625a8f975e95a18b17ea0ad77b8
Instruction Fuzzy Hash: C3E04F31988528BBCF172F60EC05EDF3E5BEF44760F008014FC05662A0CB719E22AAE5

Function 005F54CF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000754E0,005F4BC5), ref: 005F54D4

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de76a3524050218f054bb9fec7fc51ac2c9dd3409e9fbfbcccd2f983660aa0e6
Instruction ID: f82fa0f78b0636df76c4f7d7f08c4c5129513053ebfe613d68f3add2b7f21b5d
Opcode Fuzzy Hash: de76a3524050218f054bb9fec7fc51ac2c9dd3409e9fbfbcccd2f983660aa0e6
Instruction Fuzzy Hash:

Function 005EC5C0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8529dd28cf83689b628fa2e636785774dffd735feb49cbcd5c55afa27603425
Instruction ID: 3b4100c26ac4e6c5ebd619e362b831de1f7c64518415d8b55e43260d15dab524
Opcode Fuzzy Hash: e8529dd28cf83689b628fa2e636785774dffd735feb49cbcd5c55afa27603425
Instruction Fuzzy Hash: D1228071A002999FCF19DFA9C884AAEBFB5FF48310F154169E895A7351D730ED42CB90

Function 005EC6E0 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef3be530bfafb39ad1c963e845329dcc33d178391d6db0e528142937a9bcaea
Instruction ID: eae40e1c654becd5704eff4f02064a35e1e410307a1edbc0d51e16557a26add1
Opcode Fuzzy Hash: 4ef3be530bfafb39ad1c963e845329dcc33d178391d6db0e528142937a9bcaea
Instruction Fuzzy Hash: 04325971A00299DFCF18DF99C984AAEBFF6BF48310F254069E855AB351C771AD42CB90

Function 005DFD20 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58414c0b673af1800e9b3e372db1e32d8be72ea2b7c5eedc4ed8f846be977e0
Instruction ID: c9e65c6d7286bd76b293747757f8c031944da737d9a3e4c24d50c1a6ed039ee4
Opcode Fuzzy Hash: f58414c0b673af1800e9b3e372db1e32d8be72ea2b7c5eedc4ed8f846be977e0
Instruction Fuzzy Hash: FE326770900289DFDB14DF58C998BAEBFB1BF45304F148199E949AB392C7B5AD84CF90

Function 005E8100 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe832cafeae4252b426330cf67226a48b717919387d1670b98870811c6abd5d
Instruction ID: 3825206153e6ae3ade3768e43ba61b960200c95383570c1b83d0ad6f76c57973
Opcode Fuzzy Hash: 6fe832cafeae4252b426330cf67226a48b717919387d1670b98870811c6abd5d
Instruction Fuzzy Hash: C202B2727046618BDB0CCE1AC59023ABBE2BBD8305F154A2EE4DB97785CE70D945CB85

Function 005FDF0B Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a26d3d0068d333128e478cc03abba89a6308d429f30366cfccf0139d9b6914
Instruction ID: d6ed710d5f689397b65550652a5e3a4a0e31eb5b2c0c9d4b8a4afbf58c8972dd
Opcode Fuzzy Hash: f4a26d3d0068d333128e478cc03abba89a6308d429f30366cfccf0139d9b6914
Instruction Fuzzy Hash: 3C02C57060060E8FCB24CF28C54AABABFF6FF49314F244A1DD656972A1D779AC42CB51

Function 005E4A50 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f626a188eeede66bdb94c2f42d6a614b61170ad88781ccac3e991e26fbdd62fe
Instruction ID: caa7a2dd3821f3d70cc7c6e764466dbc301173dde2e784c6bc8ca5b5a0d96178
Opcode Fuzzy Hash: f626a188eeede66bdb94c2f42d6a614b61170ad88781ccac3e991e26fbdd62fe
Instruction Fuzzy Hash: 47023F72A083118BC75CCF1AD89056BF7E2BFCC314F19892EF49A93351DB74A945CA86

Function 005FDACC Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d460bc24410746e76f1553d2f61ccc9f5a4ab6fe12cf33eb9f3cd4ecc76b506
Instruction ID: 9a1cb410b1f9e97201d54cc46848dd7ebfba86da88d4a966657be293ce7acfdf
Opcode Fuzzy Hash: 5d460bc24410746e76f1553d2f61ccc9f5a4ab6fe12cf33eb9f3cd4ecc76b506
Instruction Fuzzy Hash: 6FE1CB7490060E8FCB24CF68C494ABABFB6FB55310F144A1DDA569B691C73DAC46CF60

Function 00592940 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e206b806fc2f2d15c42555acfeba3d2c160a7d8809909fbe2a5ce934a7d32e61
Instruction ID: afc1470b7f26ed4debeea64e9a9d19a3a898099422800d0fad3c67831bef4f7d
Opcode Fuzzy Hash: e206b806fc2f2d15c42555acfeba3d2c160a7d8809909fbe2a5ce934a7d32e61
Instruction Fuzzy Hash: FDE19D72A083059FCB18CF19D49056EFBE2FFD8310F598A6DE48A57354DA70AD09CB82

Function 005EE640 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a07a358b833efd2f37456dde5c9778dc8c76f36133231a96c1b349a37607ecd
Instruction ID: 97364b4db20dc58013537f2a1f113c7cdad7c5e0875a977c64cb89deeb107864
Opcode Fuzzy Hash: 1a07a358b833efd2f37456dde5c9778dc8c76f36133231a96c1b349a37607ecd
Instruction Fuzzy Hash: 91F172B45143A18BD748CF1ADCE042A77E2FBCA312F45490EF5D68B395C235E61ACBA1

Function 00608E60 Relevance: .2, Instructions: 230COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199cfc18c002d48e62d1bdb909b82483c2a5622abf8f1ed7ee51bce9fef951c7
Instruction ID: 06734ec0600a096274e0b425a1b86303b2db719bb3745c4940f2b5ed7b86e655
Opcode Fuzzy Hash: 199cfc18c002d48e62d1bdb909b82483c2a5622abf8f1ed7ee51bce9fef951c7
Instruction Fuzzy Hash: 73916E32D41E098ADB1ACF68C8453DFB773AF46360F299285DC657B3D2DB3498868760

Function 0058EAA0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260f7346573ee0492d7d087c9a02f31b07962f178dacaa3a5896be440bf1b46
Instruction ID: 95c9f70f66765b868044832a0c064d130e0d7a1055379eefc5a4e34908be5973
Opcode Fuzzy Hash: 6260f7346573ee0492d7d087c9a02f31b07962f178dacaa3a5896be440bf1b46
Instruction Fuzzy Hash: 27714C71A082168FC718DF29C84166ABBF2FFD8350F158A2DE996E7254E730E954CBC1

Function 0058E870 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93427a4c3b2901b25d4b8cc7a15ad103625c5b02533139ca114d6ba6127404e
Instruction ID: b76d1e0b255bfcffcb666e7a75836116a60c3c2446683ce2f38ae1b63f6d3f75
Opcode Fuzzy Hash: b93427a4c3b2901b25d4b8cc7a15ad103625c5b02533139ca114d6ba6127404e
Instruction Fuzzy Hash: 81714C76E101198FCB08DFACC8855ADBBF5FB88710F1A4669E815FB345E770A910CBA4

Function 005EE090 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction ID: 058a7d43a967817002c084b33c0b5b4db7e84bcdc41db8ffaad28ceb426e4988
Opcode Fuzzy Hash: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction Fuzzy Hash: B0416972B187A10BCB1C8A2D8C95169BEC2BBD5321F0A8B7DD8D697386C5B48D0DC790

Function 0058E540 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59845c80f73a15e3b05cb42bff5b3d653e629c8e708305577ecb24b55e42dd06
Instruction ID: 5a17ec922d0b1b87e8635d23dbafa4d083c3b2a8dafa7a6e663e9973c718b12f
Opcode Fuzzy Hash: 59845c80f73a15e3b05cb42bff5b3d653e629c8e708305577ecb24b55e42dd06
Instruction Fuzzy Hash: E041B072B1421A4BC708EE2DD84553EB7F6ABE8304F548A2DE806D7254FB30DA15C7C5

Function 005EE490 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3f57fe918f0e36527b7964921b8d4cc73bf0c19e104463457388a5a553049b
Instruction ID: 0e7604cdf890282acceb8001d247f19711d962f5591ca85597e123170190d2ee
Opcode Fuzzy Hash: ce3f57fe918f0e36527b7964921b8d4cc73bf0c19e104463457388a5a553049b
Instruction Fuzzy Hash: 2A315B716242B51FD7108B1E8C41539BAD2EBC7216F4941FAE4E5CB342D378DA06DBE0

Function 005DD6F0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5941555875965a3a5c5beaa238375d84f0a68d8032d79d3bfd7eba04945614c6
Instruction ID: 83588e9b7c93dd1daa65336f423c0558d0daafe6849c214bc32e1805c26a9471
Opcode Fuzzy Hash: 5941555875965a3a5c5beaa238375d84f0a68d8032d79d3bfd7eba04945614c6
Instruction Fuzzy Hash: C521E736720A124B9B4CCB3DDC7667976E2E384341B88967EE95BCB3D1E7388515C740

Function 005EA4B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction ID: 658c92737d260dd7f9945421116997a3885e6d984753fa2918fcbc96259025f0
Opcode Fuzzy Hash: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction Fuzzy Hash: BE21A4715102625BD71ECE2EC8445B6FB91FBC5305F82836AED80DB289C639F825C7D0

Function 005EA410 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction ID: 1a4d6ce91bd1bac4b7f3532922f2fc02ec2841b0ee9a9f8bce747635ff71235e
Opcode Fuzzy Hash: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction Fuzzy Hash: 5D1148315101714BDB1EDD3ED888576BB94FB81315F86836ADD81AB189C625FC29C3E1

Function 005D6A70 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 397filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,5D2E80A5,?,00000000), ref: 005D6ACD
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6AEB
GetFileTime.KERNEL32(00000000,00000000,00000000,005D0E15,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF), ref: 005D6B0C
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6B16
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6B34
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6BA0
FileTimeToSystemTime.KERNEL32(005D0E15,00638E10,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?), ref: 005D6BB5
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6BBF
SystemTimeToFileTime.KERNEL32(00638E10,005D0E15,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?), ref: 005D6C26
SystemTimeToFileTime.KERNEL32(00638DFE,00632ECC,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?), ref: 005D6C47
CompareFileTime.KERNEL32(00632ECC,005D0E15,?,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?), ref: 005D6C5D
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6CCF
CreateFileW.KERNEL32(00000000,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,?,00000001,S-1-1-0,?,00000001), ref: 005D6D3B
GetLastError.KERNEL32(?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15), ref: 005D6D4D
CloseHandle.KERNEL32(00000000,?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,00623B2D,000000FF), ref: 005D6D59
CopyFileExW.KERNEL32(?,00000000,005D7340,00638DA8,00000000,00000000,?,?,?,?,?,?,?,00623B2D,000000FF), ref: 005D6D91
GetLastError.KERNEL32(?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6D9B
DeleteFileW.KERNEL32(006389C4,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6E44
MoveFileW.KERNEL32(00000000,006389C4), ref: 005D6E4F
CopyFileW.KERNEL32(00000000,006389C4,00000000,?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6E5F
GetLastError.KERNEL32(?,?,?,?,?,?,?,00623B2D,000000FF,?,005D0E15,?,?), ref: 005D6E69

Strings

S-1-5-18, xrefs: 005D6D06
S-1-1-0, xrefs: 005D6CF6
.part, xrefs: 005D6C9F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$Time$ErrorLast$CloseHandleSystem$CopyCreate$CompareDeleteExistsMovePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1792433798-2727065896
Opcode ID: 662531654e7ead8ef117d419ac60cae8397f8c9595f400636a4219db77a6e793
Instruction ID: 37fc67dc33989eb83f01e8cdf9d2c7c5bef61ee66f909c7af5f3d34e2e458d4c
Opcode Fuzzy Hash: 662531654e7ead8ef117d419ac60cae8397f8c9595f400636a4219db77a6e793
Instruction Fuzzy Hash: 81F19D74A002159FDB24DFA8DC99BAEBFB9FF08310F14415AE801A7391DB709D46CB91

Function 005D5F10 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 267windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005D5F3D
GetWindowLongW.USER32(?,000000F0), ref: 005D5F52
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D5F69
GetWindowLongW.USER32(?,000000EC), ref: 005D5F82
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D5F96
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 005D5FA4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005D5FB7
GetDlgItem.USER32(?,0000E801), ref: 005D5FC4
IsWindow.USER32(00000000), ref: 005D5FCD
DestroyWindow.USER32(00000000,?,00000000), ref: 005D5FE9
GetClientRect.USER32(?,?), ref: 005D6041
GetDlgItem.USER32(?,0000E801), ref: 005D6060
IsWindow.USER32(00000000), ref: 005D6067
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5402001C,?,?,?,?,?,0000E801,00000000), ref: 005D60AC
IsWindow.USER32(00000000), ref: 005D60B5
GetWindowRect.USER32(00000000,?), ref: 005D60D1
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 005D60E6
GetClientRect.USER32(?,?), ref: 005D6143
GetWindowRect.USER32(?,?), ref: 005D614B
GetDlgItem.USER32(?,0000042B), ref: 005D61E3
GetWindowRect.USER32(00000000,?), ref: 005D61F7
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 005D620C

Strings

SCROLLBAR, xrefs: 005D60A5

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$LongRect$Item$ClientMessagePointsSend$CreateDestroy
String ID: SCROLLBAR
API String ID: 3826962570-324577739
Opcode ID: 8e7c753edbc513b5eb352501f048da843849d6d79731466e7d3ee127e8d90bef
Instruction ID: e5a18b085a5748c428962d7201c8b774470d10907fcab5bd297046123defc890
Opcode Fuzzy Hash: 8e7c753edbc513b5eb352501f048da843849d6d79731466e7d3ee127e8d90bef
Instruction Fuzzy Hash: 5EB15774509701EFD720DF68C849F5ABBE6FF88710F104A1AF995973A0EB31A841CB92

Function 005A0BF0 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 360memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(?,5D2E80A5,?,00000000,00000000), ref: 005A0C79
CharNextW.USER32(?,00000000,00000000), ref: 005A0CF8
CharNextW.USER32(00000000,?,00000000,00000000), ref: 005A0D01
CharNextW.USER32(00000000,?,00000000,00000000), ref: 005A0D0A
CharNextW.USER32(00000000,?,00000000,00000000), ref: 005A0D13
CharNextW.USER32(?,?,00000000,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0D5D
CharNextW.USER32(?,?,00000000,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0D71
CharNextW.USER32(00000000,}},00000009,?,00000000,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0DEE
CharNextW.USER32(00000000,?,00000000,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0E27
EnterCriticalSection.KERNEL32(0000001B,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0E70
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000), ref: 005A0E8A
LeaveCriticalSection.KERNEL32(0000001B,?,00000000,00000000), ref: 005A0E9E
LeaveCriticalSection.KERNEL32(0000001B,?,00000000,00000000), ref: 005A0ECE
CharNextW.USER32(00000000,?,?), ref: 005A0F21
CharNextW.USER32(?,00000000,00000001,5D2E80A5,?,00000000,00000000), ref: 005A0F44
CoTaskMemFree.OLE32(00000000,5D2E80A5,?,00000000,00000000), ref: 005A0F92

Strings

HKCU{Software{Classes, xrefs: 005A0D27
HKCR, xrefs: 005A0CDF
}}, xrefs: 005A0DC7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CharNext$CriticalSection$LeaveTask$AllocEnterFreelstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3576304915-1142484189
Opcode ID: 1c44d268e0c7ea7e55fb6bfdf89a709c9916fbc17d92acecc3a3e6f32724504d
Instruction ID: 0569caa20e11ac5cfbd9a6d1d4e8a6960e106cfc9dad5a452bf948585eea5c3b
Opcode Fuzzy Hash: 1c44d268e0c7ea7e55fb6bfdf89a709c9916fbc17d92acecc3a3e6f32724504d
Instruction Fuzzy Hash: AFD1C075A243459FCB20DFA4C858BAEBFB9BF0A700F245569E845EB2C1E7749D04CB90

Function 005ABD40 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 292libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00650AF0,5D2E80A5), ref: 005ABDB3
EnterCriticalSection.KERNEL32(00650AF0,5D2E80A5), ref: 005ABDC8
GetCurrentProcess.KERNEL32 ref: 005ABDD5
GetCurrentThread.KERNEL32 ref: 005ABDE3
SymSetOptions.IMAGEHLP(80000016), ref: 005ABE0F
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 005ABE7D
GetProcAddress.KERNEL32(00000000), ref: 005ABE84
SymInitialize.IMAGEHLP(00000000,00000000,00000001,006337C0,00000000), ref: 005ABECC
StackWalk.IMAGEHLP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,?,?,?), ref: 005AC00F
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,?,?,?), ref: 005AC0C0
SymCleanup.IMAGEHLP(?,?), ref: 005AC1A2
LeaveCriticalSection.KERNEL32(00650AF0,?), ref: 005AC1CD

Strings

Dbghelp.dll, xrefs: 005ABE78
MODULE_BASE_ADDRESS, xrefs: 005AC0F2
<--------------------MORE--FRAMES-------------------->, xrefs: 005AC05D
*** Stack Trace (x86) ***, xrefs: 005ABFA2
[0x%.8Ix] , xrefs: 005AC0C7
SymFromAddr, xrefs: 005ABE73

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: 670eb6702d4288b75c2b8c60a30111c1b2535201f25c04c5bddc8de5b008d9e7
Instruction ID: 663c172acd06ca6404d3da849fcfbcaa3df568ea8c7fefa4f9da1f5716f5a52c
Opcode Fuzzy Hash: 670eb6702d4288b75c2b8c60a30111c1b2535201f25c04c5bddc8de5b008d9e7
Instruction Fuzzy Hash: 96C1CC71900A699FDB20DB24CC49BEEBFB5BF46305F1042D8E509A7292DB742B85CF91

Function 0059AC20 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 347libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,5D2E80A5,?,?,?,?,?,?,?,?,5D2E80A5,006191F5,000000FF,?,0059A02A), ref: 0059AC93
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0059AC99
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,5D2E80A5,006191F5,000000FF,?,0059A02A,00634350,5D2E80A5), ref: 0059ACE0
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0059ACE6
CoInitializeEx.OLE32(00000000,00000000,5D2E80A5,?,?,?,0061922D,000000FF), ref: 0059B005

Part of subcall function 00598780: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00598890

Part of subcall function 005F3148: GetCurrentThreadId.KERNEL32 ref: 005F3173

Strings

CoIncrementMTAUsage, xrefs: 0059ACD6
RoGetActivationFactory, xrefs: 0059AC89
.dll, xrefs: 0059AE02
combase.dll, xrefs: 0059AC8E, 0059ACDB
DllGetActivationFactory, xrefs: 0059AE5E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc$CurrentFolderInitializePathThread
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2148253048-2454113998
Opcode ID: e3f53675a6636ef64a66d4de4f867027f64d2b5ad2b58517cb578396cbcd1e0c
Instruction ID: 278ddfe3f009f5a407396449ceb2c9f880fe4fc599a05e130bc1a9c83652eff3
Opcode Fuzzy Hash: e3f53675a6636ef64a66d4de4f867027f64d2b5ad2b58517cb578396cbcd1e0c
Instruction Fuzzy Hash: 81D19A70D0061AEFDF25DFA8D859BAEBFB5FF88710F144119E501A7290DB74AA40CBA1

Function 005B1410 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000007,000001F6), ref: 005B1458
GetDlgItem.USER32(00000007,000001F8), ref: 005B1468
GetDlgItem.USER32(00000007,000001F7), ref: 005B14AE
SetWindowTextW.USER32(00000000,?), ref: 005B14C1
ShowWindow.USER32(00000000,00000005), ref: 005B151F
GetDlgItem.USER32(00000007,000001F7), ref: 005B1545
SetWindowTextW.USER32(00000000,?), ref: 005B1558
ShowWindow.USER32(00000000,00000000), ref: 005B15B5
ShowWindow.USER32(?,00000000), ref: 005B15C0
SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 005B160D
GetDlgItem.USER32(?,000000FF), ref: 005B1640
IsWindow.USER32(00000000), ref: 005B164A
IsRectEmpty.USER32(?), ref: 005B1667
SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 005B1697

Strings

Details <<, xrefs: 005B1495
Details >>, xrefs: 005B152C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: 398d8b223350f99b6e2fa71cecb413df19cc21cefe8847cc2be2c3ddde9b0b53
Instruction ID: d2f668daa92f57469e00cbe39910c7d4ca2ef191bd2a24049c3805539d699bea
Opcode Fuzzy Hash: 398d8b223350f99b6e2fa71cecb413df19cc21cefe8847cc2be2c3ddde9b0b53
Instruction Fuzzy Hash: 5F81A071900605AFDB24DFA8CC5ABAEBBB6FF94700F14821DF912A6691D730B941CF54

Function 0059FE40 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 276COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,5D2E80A5), ref: 0059FEE8
GetLastError.KERNEL32 ref: 0059FEF2
EnterCriticalSection.KERNEL32(?), ref: 0059FF64
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0059FF91
GetModuleFileNameW.KERNEL32(00580000,?,00000104), ref: 0059FFEA
GetModuleHandleW.KERNEL32(00000000), ref: 005A0052
EnterCriticalSection.KERNEL32(?), ref: 005A0063
EnterCriticalSection.KERNEL32(?), ref: 005A011B
LeaveCriticalSection.KERNEL32(?,Module,?), ref: 005A014F
EnterCriticalSection.KERNEL32(?), ref: 005A0174
LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 005A01A8

Strings

Module_Raw, xrefs: 005A018F
REGISTRY, xrefs: 005A0229
8Fc, xrefs: 0059FF12
Module, xrefs: 005A0136

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$Enter$Leave$Module$ErrorFileHandleInitializeLastName
String ID: 8Fc$Module$Module_Raw$REGISTRY
API String ID: 2998937331-1165359549
Opcode ID: 91af5152a9cf39540979decaa191816927b916710e1f2d7809045496311bd2da
Instruction ID: 01810fb7a4221e4d9b1e9fd2338011057b075b010f19e289d200bad93cd671b5
Opcode Fuzzy Hash: 91af5152a9cf39540979decaa191816927b916710e1f2d7809045496311bd2da
Instruction Fuzzy Hash: F8B19F75A043188BDB20CF64CC48B9EBBB5BF8A300F1445E9E509A7680E7759E85CF92

Function 005D6640 Relevance: 25.8, APIs: 17, Instructions: 332COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 005D6685
GetWindowRect.USER32(00000000,?), ref: 005D6695
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 005D66C1
InvalidateRect.USER32(?,00000000,00000001), ref: 005D69AE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 005D69D7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: 6d9b64fc539ab417aed718774c565e16e51abd5f64ed34d3a808873e04217944
Instruction ID: d460663d908462b25bf3295db53c252b72335971caf30fd9472a6405f04e71df
Opcode Fuzzy Hash: 6d9b64fc539ab417aed718774c565e16e51abd5f64ed34d3a808873e04217944
Instruction Fuzzy Hash: 1DD13671608706AFD718CF6CC999A6ABBE5BF88304F089A1EF989C7354D770E841CB51

Function 005971F0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,5D2E80A5,00000000,?,?,?,?,?,?,?,?,?,?,?,5D2E80A5), ref: 00597273
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00597279
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 005972D0
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,006337C0,00000000,00000000,00000000), ref: 0059743B

Strings

CoIncrementMTAUsage, xrefs: 0059731A
RoGetActivationFactory, xrefs: 00597269
.dll, xrefs: 00597422
combase.dll, xrefs: 0059726E, 0059731F
DllGetActivationFactory, xrefs: 0059747E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$AddressErrorInfoProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 3571556279-2454113998
Opcode ID: c8ceb530300ae49128db95c06a5cb9b58074a57203f59922a82443ac39af7a3c
Instruction ID: bb212ebda099fd479046df8a4a59ca1a6ea5988ae23f1cb4a53648001ba29818
Opcode Fuzzy Hash: c8ceb530300ae49128db95c06a5cb9b58074a57203f59922a82443ac39af7a3c
Instruction Fuzzy Hash: 37B17A70D14619EFCF10DFA8D849BADBFB5BF88710F15455AE801AB290DB74AE41CB90

Function 005B10F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005A98C0: LoadLibraryW.KERNEL32(ComCtl32.dll,5D2E80A5,00000007,00000007,?), ref: 005A98FA
Part of subcall function 005A98C0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 005A9920
Part of subcall function 005A98C0: FreeLibrary.KERNEL32(00000000), ref: 005A99A9

GetDlgItem.USER32(?,000001F4), ref: 005B112B
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 005B113A
GetDC.USER32(00000000), ref: 005B1146
GetDeviceCaps.GDI32(00000000), ref: 005B114D
MulDiv.KERNEL32(00000009,00000000), ref: 005B1156
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 005B117F
GetDlgItem.USER32(?,000001F6), ref: 005B1190
IsWindow.USER32(00000000), ref: 005B1199
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 005B11B0
GetDlgItem.USER32(?,000001F8), ref: 005B11BE
GetWindowRect.USER32(?,?), ref: 005B11CD
GetWindowRect.USER32(00000000,?), ref: 005B11E1
GetWindowRect.USER32(00000000,?), ref: 005B11F5

Strings

Courier New, xrefs: 005B115C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 86147b59cf1777de4f73e41724a0678d62ceb1421420f4ac889289e10c9e8098
Instruction ID: 25b67f69bfaf315579f40730c67398064e2090efdd35ddc55dccef0350529229
Opcode Fuzzy Hash: 86147b59cf1777de4f73e41724a0678d62ceb1421420f4ac889289e10c9e8098
Instruction Fuzzy Hash: 15415671784701BBFB249F209C4BFBA3BA5FF48B05F101528BB05AD1D2DAB0B8448B54

Function 005A4B10 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 399libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 005A4BA2
GetLastError.KERNEL32 ref: 005A4BD0

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 005A4BE6
FreeLibrary.KERNEL32(00000000), ref: 005A4C02
GetLastError.KERNEL32 ref: 005A4C0F
GetLastError.KERNEL32 ref: 005A4E06
GetLastError.KERNEL32 ref: 005A4E6B

Strings

ConvertStringSidToSidW, xrefs: 005A4BE0
Advapi32.dll, xrefs: 005A4B9D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: 16fe1159c60e10d434616b4286cb63bd87ee978adc585990b19893db4fa4c775
Instruction ID: f243d7dfda82c0f05105bca8c1487016e705ea77049dd6710464d9eb97e42f27
Opcode Fuzzy Hash: 16fe1159c60e10d434616b4286cb63bd87ee978adc585990b19893db4fa4c775
Instruction Fuzzy Hash: 8FF15AB1C0120AEFDB10DFA4D945BAEBBB5FF85310F208119E915B7280E775AA45CFA1

Function 005D1750 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,5D2E80A5,?,?,00000000), ref: 005D178F
GetLastError.KERNEL32 ref: 005D17B0

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

GetFileSize.KERNEL32(00000000,00000000), ref: 005D17C0
GetLastError.KERNEL32 ref: 005D17CD
CloseHandle.KERNEL32(?), ref: 005D1A94

Strings

utf-8, xrefs: 005D1845
utf-16, xrefs: 005D1862
US-ASCII, xrefs: 005D1966
ISO-8859-1, xrefs: 005D1949

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLast$AllocateCloseCreateHandleHeapSize
String ID: ISO-8859-1$US-ASCII$utf-16$utf-8
API String ID: 4082270022-3020978663
Opcode ID: d8ffce3fe3fb45d3f67a0b019282502c9d735bcdfb4b99b99c2042d904e9c85a
Instruction ID: a7aaaaa569c017ff3a2aad331c564a0e6f4ea3677f60bd448d88c3a46cd5b265
Opcode Fuzzy Hash: d8ffce3fe3fb45d3f67a0b019282502c9d735bcdfb4b99b99c2042d904e9c85a
Instruction Fuzzy Hash: 18A1F771A00B06AFDB20DF68CC59FAEBFB9BF44310F14452AE901A7391DB749905CBA5

Function 005AA750 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00650A68,5D2E80A5,00000000,?), ref: 005AA78C

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

EnterCriticalSection.KERNEL32(?,5D2E80A5,00000000,?), ref: 005AA799
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA7CB
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA7D4
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,00634EF4,00000001,?,?,000000FF,00000000), ref: 005AA86C
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA875
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,?,?,000000FF,00000000), ref: 005AA8BD
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA8C6
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,006337E8,00000002,?,?,000000FF,00000000), ref: 005AA935
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA93E
LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF,00000000), ref: 005AA97A

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

Strings

7c, xrefs: 005AA8F8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindHeapInitializeLeaveProcessResource
String ID: 7c
API String ID: 3680465103-2693596234
Opcode ID: b38c264f9371bb6faa99f3c005fed5fe60deed5effde234ea94de4a95ed3d703
Instruction ID: 2965b85647f39d24007bd7b9edd8c2083b60fa5a65349722bac014da8b8a434b
Opcode Fuzzy Hash: b38c264f9371bb6faa99f3c005fed5fe60deed5effde234ea94de4a95ed3d703
Instruction Fuzzy Hash: 1571CA71A006059FDB10DF68CC49BAEBFB6FF45320F144188E811A73A2DB359E06CBA1

Function 005B0770 Relevance: 21.1, APIs: 14, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005B07A9
GetWindowLongW.USER32(?,000000F0), ref: 005B07BE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B07D4
GetWindowLongW.USER32(?,000000EC), ref: 005B07E7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B07FA
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 005B0808
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005B081B
GetClientRect.USER32(?,?), ref: 005B0830
GetClientRect.USER32(?,?), ref: 005B0858
GetWindowRect.USER32(?,?), ref: 005B0860
GetDlgItem.USER32(?,?), ref: 005B0897
IsWindow.USER32(00000000), ref: 005B08A2
GetWindowRect.USER32(?,?), ref: 005B08BD
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 005B08CE

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Rect$ClientMessageSend$ItemPoints
String ID:
API String ID: 3417004906-0
Opcode ID: 24047c24d219739141cc1092024d8c19fb00861b3b03e8bf4ecf95e8f89ff7ae
Instruction ID: 2fc0297f8f906cbaa40566a8d7f716123bdc388406029c74759cd237b2d73ed4
Opcode Fuzzy Hash: 24047c24d219739141cc1092024d8c19fb00861b3b03e8bf4ecf95e8f89ff7ae
Instruction Fuzzy Hash: CE415B70508702DFD720DF28DC89B6BBBE5FF98710F205B1DF896961A1DB30A9858B61

Function 005BBEA0 Relevance: 19.7, APIs: 13, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005BBEE7
GetParent.USER32(00000000), ref: 005BBEFA
GetWindow.USER32(00000000,00000004), ref: 005BBF05
GetWindowRect.USER32(?,?), ref: 005BBF13
GetWindowLongW.USER32(00000000,000000F0), ref: 005BBF26
MonitorFromWindow.USER32(?,00000002), ref: 005BBF3E
GetMonitorInfoW.USER32(00000000,?), ref: 005BBF54
GetWindowRect.USER32(00000000,?), ref: 005BBF7A
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 005BC035

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: 2f40de9c5d66602bb66519306fd46f847c70b3feaf6a5bf839bbf2cb6efacd55
Instruction ID: c84cc77d5cb7ae995103b71c5ccdbd25229a05661ec8ba2a430fa0dc351a74f1
Opcode Fuzzy Hash: 2f40de9c5d66602bb66519306fd46f847c70b3feaf6a5bf839bbf2cb6efacd55
Instruction Fuzzy Hash: 14514D72904519EFDB20CF68CD49AEEBBBAFB44710F245229F815E3290DB70AD419B50

Function 005D08D0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 473synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005D09C2
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,.part,00000005,?,?,?), ref: 005D0AFC
GetFileSize.KERNEL32(00000000,00000000), ref: 005D0B31
CloseHandle.KERNEL32(00000000), ref: 005D0B55
ResetEvent.KERNEL32(?,00000000,00638A34,00000000,00000000,00000000,00000000,00000000,?), ref: 005D0E6B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D0E94
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D0EA2

Strings

<, xrefs: 005D09B1
#, xrefs: 005D0D62
.part, xrefs: 005D0925

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileObjectSingleWait$CloseCreateErrorEventHandleLastResetSize
String ID: #$.part$<
API String ID: 1885162932-1559421475
Opcode ID: 8c9291d9f42d47a8899d4b03b9229061dbba9658711791ba9e587a7bafe15a5c
Instruction ID: 6590c2d9b22bd5d94eb3815cd95563791dadc7ad2ec0a5107807e4eceb530072
Opcode Fuzzy Hash: 8c9291d9f42d47a8899d4b03b9229061dbba9658711791ba9e587a7bafe15a5c
Instruction Fuzzy Hash: F2227E30900659DFDB20DF68CC58BADBBB5BF45314F14928AE809A7391DB70AE85CF91

Function 005B5B60 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 309fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00584450: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00584547
Part of subcall function 00584450: GetProcAddress.KERNEL32(00000000), ref: 0058454E
Part of subcall function 00584450: PathFileExistsW.SHLWAPI(?), ref: 005845BC

Part of subcall function 00584850: GetTempFileNameW.KERNEL32(?,00000000,00000000,?,5D2E80A5,?,00000004), ref: 005848C8

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000), ref: 005B5CCD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 005B5CF5
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000000), ref: 005B5D37
CloseHandle.KERNEL32(?,?,00000000), ref: 005B5DAA
ShellExecuteW.SHELL32(00000000,open,?,00000000,?,00000000), ref: 005B5DDE

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

ShellExecuteExW.SHELL32(?), ref: 005B5E36

Strings

runas, xrefs: 005B5E1E
open, xrefs: 005B5DD7
.bat, xrefs: 005B5C03
EXE, xrefs: 005B5C08

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$Handle$CloseExecuteShell$AddressCreateExistsFindHeapModuleNamePathProcProcessResourceTempWrite
String ID: .bat$EXE$open$runas
API String ID: 1017135135-1492471297
Opcode ID: 79d09950081c7dab166e39bc0f966c545b444c0751eb190099fbf6565db13da0
Instruction ID: e94f5f83cfbb64e17beb09e1ce0cc9997b7aebde4f81ec9d13f40f0d69cf25d2
Opcode Fuzzy Hash: 79d09950081c7dab166e39bc0f966c545b444c0751eb190099fbf6565db13da0
Instruction Fuzzy Hash: D5C19970900649DFDB04DF68C859BED7FA5BF48324F288259F815AB2D1DB74AE06CB90

Function 005EF270 Relevance: 16.6, APIs: 11, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 005EF27C
GetLastError.KERNEL32 ref: 005EF286
SetEvent.KERNEL32(?), ref: 005EF28F
GetLastError.KERNEL32 ref: 005EF299
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005EF2A4
GetLastError.KERNEL32 ref: 005EF2AF
CloseHandle.KERNEL32(00000000), ref: 005EF2BD
GetLastError.KERNEL32 ref: 005EF2C7
CloseHandle.KERNEL32(?), ref: 005EF2DE
GetLastError.KERNEL32 ref: 005EF2E8
CloseHandle.KERNEL32(?), ref: 005EF2FF

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Event$ObjectSingleWait
String ID:
API String ID: 2663162059-0
Opcode ID: d4c225ab23472d5bc28df31ab7120567b0e0e60c9e6a7796b384b5312be20016
Instruction ID: 822efb0cb848dc1f49ba829425beea9964beab6d2edda3b6ea8ef4cd36889305
Opcode Fuzzy Hash: d4c225ab23472d5bc28df31ab7120567b0e0e60c9e6a7796b384b5312be20016
Instruction Fuzzy Hash: A4112AB8208A81CBDB345F76EC0CF577FB5BF14355B145A28E592D25A0EB30D8499B60

Function 00599AF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C08
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C12
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C24
GetExitCodeProcess.KERNEL32(?,?), ref: 00599C41
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C4B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C58
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00599C62

Strings

"%s" %s, xrefs: 00599B90
D, xrefs: 00599B21

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$D
API String ID: 3234789809-3971972636
Opcode ID: 6f5f5208812e699e4684bbe50f2fb2254545633823c01f0cfedb2f2874a15094
Instruction ID: 22392e6fd1da9545704c5aa19e8f542a2b825fd2d79a216263dcd2dfe9537a9f
Opcode Fuzzy Hash: 6f5f5208812e699e4684bbe50f2fb2254545633823c01f0cfedb2f2874a15094
Instruction Fuzzy Hash: A5517D71E046169FCF14DF68DC44AAEBBBAFF44710F20462EE921A7290D734AD45CBA0

Function 00595100 Relevance: 15.3, APIs: 10, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32(00000000,00000000,5D2E80A5,00000000), ref: 0059517A
SysFreeString.OLEAUT32(00000001), ref: 00595200
SysFreeString.OLEAUT32(00000000), ref: 00595288
SysStringLen.OLEAUT32(00000000), ref: 005952B7
GetProcessHeap.KERNEL32(-000000FE,?), ref: 00595300
HeapFree.KERNEL32(00000000,-000000FE,?), ref: 00595306
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,5D2E80A5,00000000), ref: 00595333
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,5D2E80A5,00000000), ref: 00595339
SysFreeString.OLEAUT32(00000000), ref: 00595351
SetErrorInfo.OLEAUT32(00000000,00000000), ref: 00595407

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Free$HeapString$ErrorInfoProcess
String ID:
API String ID: 1533966657-0
Opcode ID: e683629c744243671d0eab327882f305b54ba28cfd0255bb33bc4560c02d9ab1
Instruction ID: faf410244012638b5fd8a75dc4717c7e5c98b16ae032e13b791b67fd4de845a5
Opcode Fuzzy Hash: e683629c744243671d0eab327882f305b54ba28cfd0255bb33bc4560c02d9ab1
Instruction Fuzzy Hash: E9A17B70D0161ADBDF11DFA4C849BAEBFB8FF45314F144559E811AB281E7B89E04CBA1

Function 005B0F30 Relevance: 15.2, APIs: 10, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 005B0F3E
DeleteObject.GDI32(?), ref: 005B0F96

Part of subcall function 005B0910: IsWindowVisible.USER32 ref: 005B0926
Part of subcall function 005B0910: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005B093C
Part of subcall function 005B0910: GetWindowLongW.USER32(?,000000F0), ref: 005B0946
Part of subcall function 005B0910: GetDlgItem.USER32(?,?), ref: 005B09B2
Part of subcall function 005B0910: GetWindowRect.USER32(00000000,?), ref: 005B09CA
Part of subcall function 005B0910: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 005B09DB

EndDialog.USER32(?,00000000), ref: 005B1016

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$DeleteDialogItemMessageObjectPointsRectSendVisible
String ID:
API String ID: 2368538989-0
Opcode ID: 4e748f39aacb7fc76a54b8f4e0b3871d5b79f4e3c880dc74a7a0c34601da392c
Instruction ID: 63fd5525eafb67ba9ebf7ca03a30baaee7279eb219b2b838196248a150e4fb27
Opcode Fuzzy Hash: 4e748f39aacb7fc76a54b8f4e0b3871d5b79f4e3c880dc74a7a0c34601da392c
Instruction Fuzzy Hash: 04410436304A1857D734AE39AC1EFFB7B98FB85771F00072AFD12C62D0CA61A85197A4

Function 005CD6A0 Relevance: 15.1, APIs: 10, Instructions: 148windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 005CD6DB
SendMessageW.USER32(00000000,00000406,00000000,?), ref: 005CD6EF

Part of subcall function 005D4D20: GetWindowLongW.USER32(?,000000F0), ref: 005D4D35
Part of subcall function 005D4D20: GetParent.USER32(?), ref: 005D4D43

GetDlgItem.USER32(?,0000040A), ref: 005CD719

Part of subcall function 005CCEB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 005CCEF3
Part of subcall function 005CCEB0: GetWindowLongW.USER32(?,000000F0), ref: 005CCF08
Part of subcall function 005CCEB0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 005CCF20
Part of subcall function 005CCEB0: CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 005CCF5D
Part of subcall function 005CCEB0: IsWindow.USER32(00000000), ref: 005CCF67
Part of subcall function 005CCEB0: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 005CCF7D

Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 005CCA3E
Part of subcall function 005CCA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005CCA4D

Part of subcall function 005BBEA0: GetWindowLongW.USER32(?,000000F0), ref: 005BBEE7
Part of subcall function 005BBEA0: GetParent.USER32(00000000), ref: 005BBEFA
Part of subcall function 005BBEA0: GetWindowRect.USER32(?,?), ref: 005BBF13
Part of subcall function 005BBEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 005BBF26
Part of subcall function 005BBEA0: MonitorFromWindow.USER32(?,00000002), ref: 005BBF3E
Part of subcall function 005BBEA0: GetMonitorInfoW.USER32(00000000,?), ref: 005BBF54

SetWindowTextW.USER32(?,?), ref: 005CD7C5
GetDlgItem.USER32(?,00000002), ref: 005CD80C
EnableWindow.USER32(00000000,00000000), ref: 005CD815
GetSystemMenu.USER32(?,00000000), ref: 005CD81F
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 005CD83D
DestroyMenu.USER32(00000000), ref: 005CD84F
SetEvent.KERNEL32(?,000000DA), ref: 005CD86A

Part of subcall function 005AF8E0: GetFileVersionInfoSizeW.KERNELBASE(?,?,5D2E80A5,00000000,?,?,00000000,0061CCC5,000000FF,?,005BA745), ref: 005AF945

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$MessageSend$ItemMenu$InfoMonitorParent$CreateDestroyEnableEventFileFromModifyRectSizeSystemTextVersion
String ID:
API String ID: 3019886063-0
Opcode ID: c4bb7be553ffde2fc0ae4cdfd81c110abf8f920c7c24bc367a4d811a1adab740
Instruction ID: fce4c037e2cd54153e319e93696ea571ff23343c9bc230009a643491e4489a8f
Opcode Fuzzy Hash: c4bb7be553ffde2fc0ae4cdfd81c110abf8f920c7c24bc367a4d811a1adab740
Instruction Fuzzy Hash: 81518B71600605AFEB10EFA4CC49FA97BB6FF48310F104169F915EB2E1CB759902DB60

Function 005CAA20 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,5D2E80A5), ref: 005CAA57

Part of subcall function 005A6150: MultiByteToWideChar.KERNEL32(00000003,00000000,006338A1,000000FF,00000000,00000000,00000000,?,?,005B83BC,006338A1), ref: 005A6168
Part of subcall function 005A6150: MultiByteToWideChar.KERNEL32(00000003,00000000,006338A1,000000FF,?,-00000001,?,005B83BC,006338A1), ref: 005A619A

Strings

.jar, xrefs: 005CAF94
2#vp1#v, xrefs: 005CB25A
.pack, xrefs: 005CADD7
@9c, xrefs: 005CB19F
*.*, xrefs: 005CAAED, 005CAB08
p2#v3#v, xrefs: 005CB105, 005CB288, 005CB31E
0!X, xrefs: 005CB33A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: 2#vp1#v$*.*$.jar$.pack$0!X$@9c$p2#v3#v
API String ID: 3339361032-2429828880
Opcode ID: 800e95205ce757e20e6365f58de4bbc520610226a19a2471b959e426b78e1fa0
Instruction ID: c8c3573b08637c24207a6cb7e5ce6749026d4d1038fe304104225e5fd290b492
Opcode Fuzzy Hash: 800e95205ce757e20e6365f58de4bbc520610226a19a2471b959e426b78e1fa0
Instruction Fuzzy Hash: 32615F70A0061A9FDB04DFA8C894BAEBFB5FF48324F15455DE421A7391DB34AD01CBA5

Function 005CEBE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 005CEC2D
GetForegroundWindow.USER32 ref: 005CEC39
SetLastError.KERNEL32(0000000E,?,?,?,5D2E80A5), ref: 005CEC80

Strings

\,e, xrefs: 005CECF1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$ActiveErrorForegroundLast
String ID: \,e
API String ID: 1822391280-2651779263
Opcode ID: fee8f144c43794c31f8af33a3774cd737d97282e7b8a013ca50dbd25006c6ecd
Instruction ID: 85791725a1ec70c061fc9cfa544420ba77bd732258de272042ed0dae2935fdc3
Opcode Fuzzy Hash: fee8f144c43794c31f8af33a3774cd737d97282e7b8a013ca50dbd25006c6ecd
Instruction Fuzzy Hash: 8441C472904609DFDB21DFA4D849FDDBFB9FF15310F14426AE811A7281DB74AA05CB90

Function 005D1F20 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 102COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,00000000,?,000000FF,?,005D1597,?,?,?,00000000), ref: 005D1F65
GetFileSize.KERNEL32(?,00000000,?,00000000,?,000000FF,?,005D1597), ref: 005D1F75

Strings

+Fa, xrefs: 005D2CEE
Local Network Server, xrefs: 005D2598, 005D25AA, 005D25B4
HTTP/1.0, xrefs: 005D2CE4
FTP Server, xrefs: 005D2878, 005D288A, 005D2894
., xrefs: 005D22A7
?Fa, xrefs: 005D29E1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushSize
String ID: +Fa$?Fa$FTP Server$HTTP/1.0$Local Network Server$.
API String ID: 3400284609-4284345852
Opcode ID: 541da28679321b0ec6dba201a509a8ac232cb4adbe7df8e794c1bf86059ec047
Instruction ID: 2ab5aa828952e19584016802a5326effa37f2b6d95e8464c978b3094f7d9cf4e
Opcode Fuzzy Hash: 541da28679321b0ec6dba201a509a8ac232cb4adbe7df8e794c1bf86059ec047
Instruction Fuzzy Hash: 96419F71A00649DFDB10DF68C844BAEBBB9FF08320F14426AE921E7391D7759E01CBA0

Function 005F4310 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005F4316
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005F4324
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 005F4335
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 005F4346

Strings

GetTempPath2W, xrefs: 005F433B
GetCurrentPackageId, xrefs: 005F431E
kernel32.dll, xrefs: 005F4311
GetSystemTimePreciseAsFileTime, xrefs: 005F432A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 7783bfa3b6088073cace87d2dfd6ce6192f5e4f80c5ef78fc106c4c2a842d791
Instruction ID: b50c659d747bd2a7f31f9f17b0e2723a77550ad001043685715d2daba3d0773e
Opcode Fuzzy Hash: 7783bfa3b6088073cace87d2dfd6ce6192f5e4f80c5ef78fc106c4c2a842d791
Instruction Fuzzy Hash: EBE0E6B5585620EB97105FB47D4DC473AE7EB29B523015461F505D2250DBB404468F91

Function 00594C40 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(005953F4,?,?,000000FF), ref: 00594D7D
HeapFree.KERNEL32(00000000,005953F4,?,?,000000FF), ref: 00594D83
GetProcessHeap.KERNEL32(005952F5,000000FF,?,000000FF), ref: 00594DBD
HeapFree.KERNEL32(00000000,005952F5,000000FF,?,000000FF), ref: 00594DC3

Strings

?c, xrefs: 00594C9A
d@c, xrefs: 00594E27
4@c, xrefs: 00594E08
$@c, xrefs: 00594E89
D@c, xrefs: 00594E46

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: $@c$4@c$D@c$d@c$?c
API String ID: 3859560861-3995529386
Opcode ID: b195769b4b5773e22697f7b79d0c9cedc0d2f7a6f82a1d61ef68b540a8c0fff5
Instruction ID: b6011aab6c699ada9373096a2a66c8cff7a6720a6775341bb4acf7ccefb71cec
Opcode Fuzzy Hash: b195769b4b5773e22697f7b79d0c9cedc0d2f7a6f82a1d61ef68b540a8c0fff5
Instruction Fuzzy Hash: 3B81BFB6A003068FEF14CF58C844BAEBBA5FF90324F154669E915AB380D779ED058F91

Function 005D5830 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000427), ref: 005D58D6
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005D58E6
EndDialog.USER32(?,00000001), ref: 005D58FA

Part of subcall function 005D5C00: SetWindowTextW.USER32(?,00623AD5), ref: 005D5C9E
Part of subcall function 005D5C00: GetDlgItem.USER32(?,0000042B), ref: 005D5D02
Part of subcall function 005D5C00: SetWindowTextW.USER32(00000000,00000000), ref: 005D5D0D
Part of subcall function 005D5C00: GetDlgItem.USER32(?,00000001), ref: 005D5D17
Part of subcall function 005D5C00: EnableWindow.USER32(00000000,00000000), ref: 005D5D20

EndDialog.USER32(?,00000002), ref: 005D5925
GetDlgItem.USER32(?,00000001), ref: 005D5974
EnableWindow.USER32(00000000,00000000), ref: 005D5986

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ItemWindow$DialogEnableText$MessageSend
String ID:
API String ID: 3408327222-0
Opcode ID: 3969f2cc1df9424f5a9959604bbf5a954348af5b3458a905d1f8c1b7f3f2004c
Instruction ID: f16cc7748a3cd889fec8929eebd0ffe3ba462acfc1d2e3eb06aa9b2a20b56d7c
Opcode Fuzzy Hash: 3969f2cc1df9424f5a9959604bbf5a954348af5b3458a905d1f8c1b7f3f2004c
Instruction Fuzzy Hash: 8F51E371A006059FDB34EF68D885B6A7BA5FB94321F40812BF90187390EB71DCA5DBE1

Function 005B0910 Relevance: 13.6, APIs: 9, Instructions: 147windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005B0926
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005B093C
GetWindowLongW.USER32(?,000000F0), ref: 005B0946
GetDlgItem.USER32(?,?), ref: 005B09B2
GetWindowRect.USER32(00000000,?), ref: 005B09CA
MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 005B09DB
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 005B0A57
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005B0A85
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 005B0A96

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$ItemLongPointsRectRedrawVisible
String ID:
API String ID: 3196996609-0
Opcode ID: c7321682b049781b70c3ef162dc4d886528930e7e542f49f5f12225f5cce50a6
Instruction ID: 3e49b947f7d28060d80a6dfc7010a5aaa8688fb9db7fee1828908fac4b82a8c0
Opcode Fuzzy Hash: c7321682b049781b70c3ef162dc4d886528930e7e542f49f5f12225f5cce50a6
Instruction Fuzzy Hash: 09515931208701DFE724CF28C889B6BBBE2BF84744F145A1CF9959B2A5D771E845CB51

Function 00596480 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 363memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,5D2E80A5), ref: 005964FC
GetProcessHeap.KERNEL32(?,00000000), ref: 00596613
HeapFree.KERNEL32(00000000,?,00000000), ref: 00596619
GetProcessHeap.KERNEL32(?,00000000), ref: 005966AA
HeapFree.KERNEL32(00000000,?,00000000), ref: 005966B0
CoUninitialize.OLE32 ref: 0059688A

Strings

4?c, xrefs: 005966F2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID: 4?c
API String ID: 4239879612-1346801280
Opcode ID: ed77a124cde4f37f88de446e4836375642632037013f621906de6ecdd53a260b
Instruction ID: f208475421919473e3727ce2f339cb5a143f208cf33b73a5a426ecbf5050a0fc
Opcode Fuzzy Hash: ed77a124cde4f37f88de446e4836375642632037013f621906de6ecdd53a260b
Instruction Fuzzy Hash: 5FE17870D00259CFDF14DFA8C948BAEBFB9BF44304F244199E409AB291DB34AA49DF61

Function 005B0AC0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,00000025,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 005B0DC5
DialogBoxIndirectParamW.USER32(00000000,00000000,?,005B0F30,00000000), ref: 005B0E14

Strings

Send Error Report, xrefs: 005B0D22
d\c, xrefs: 005B0C7D
Details >>, xrefs: 005B0D4B
Close, xrefs: 005B0CC8
Copy, xrefs: 005B0DAC

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: DialogHandleIndirectModuleParam
String ID: Close$Copy$Details >>$Send Error Report$d\c
API String ID: 279259766-2268044251
Opcode ID: 42739dd0f35a406c4872e2d627354cd7e695b7bbcde5b7c6bcb800028c111282
Instruction ID: c92e35fb5d39d92949ebd48717463585e6c14019b3a82b0168187b602866764e
Opcode Fuzzy Hash: 42739dd0f35a406c4872e2d627354cd7e695b7bbcde5b7c6bcb800028c111282
Instruction Fuzzy Hash: 73D18C70A00619AFDB14DFA4CC56BEEBBB5BF48714F104619F511BB2C0E7B0AA01CB94

Function 005F62D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005F6307
___except_validate_context_record.LIBVCRUNTIME ref: 005F630F
_ValidateLocalCookies.LIBCMT ref: 005F6398
__IsNonwritableInCurrentImage.LIBCMT ref: 005F63C3
_ValidateLocalCookies.LIBCMT ref: 005F6418

Strings

csm, xrefs: 005F63AD
P`_, xrefs: 005F63B5, 005F63BE, 005F63CF

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: P`_$csm
API String ID: 1170836740-1013232017
Opcode ID: 4a5d090e6d0ff948cd08d75c5638c2efdeb399e0437d67daaba1b48078f6ac32
Instruction ID: 2509d9cd1d3cf8aebf94e01f0e38a8b0cc9ddfc5843d76c02620e63a20415ad4
Opcode Fuzzy Hash: 4a5d090e6d0ff948cd08d75c5638c2efdeb399e0437d67daaba1b48078f6ac32
Instruction Fuzzy Hash: E141E638A0020DEBCF10DF68C884AAEBFB6BF44314F148555EA149B392D739E955CF91

Function 005A17F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,5D2E80A5,?,00000000,?,?,Function_00095000,000000FF,?,005A173D,?), ref: 005A182A
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 005A183A
GetModuleHandleW.KERNEL32(Advapi32.dll,5D2E80A5,?,00000000,?,?,Function_00095000,000000FF,?,005A173D,?), ref: 005A18A6
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005A18B6

Strings

RegDeleteKeyExW, xrefs: 005A18B0
RegDeleteKeyTransactedW, xrefs: 005A1834
Advapi32.dll, xrefs: 005A1825, 005A18A1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: 01d205934a5827654c58af6a174dedc5aef6b8bf1695943e374f22cc3e1c78a0
Instruction ID: a0a0dc0069d5bc443497edf77263063e04852d12e101dc6eb20d2f5a66affc94
Opcode Fuzzy Hash: 01d205934a5827654c58af6a174dedc5aef6b8bf1695943e374f22cc3e1c78a0
Instruction Fuzzy Hash: 4831E376A08A05EFDB20CF55EC05F5DFFAAFB45B21F10412AE90593390CB76A850DB98

Function 005AFB40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00650A68), ref: 005AFB50
LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00650A68), ref: 005AFB63
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 005AFB73
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 005AFC02
SHGetMalloc.SHELL32(?), ref: 005AFC4A

Strings

SHGetSpecialFolderPathW, xrefs: 005AFB6D
Shell32.dll, xrefs: 005AFB5E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 686d843343788f8ba0f3c2c739e0acd4968ee1f407b09cf756a8d700d2767735
Instruction ID: d4627f877bfcd2f716b9f924e272d5e7115b24e8719bdda06dfd8b3de9560b03
Opcode Fuzzy Hash: 686d843343788f8ba0f3c2c739e0acd4968ee1f407b09cf756a8d700d2767735
Instruction Fuzzy Hash: 103128716047159BDB209F54DC15F6BBBF6BF84710F08842CE845871D4EB75988687A2

Function 005CDC50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 005CDC7B
SetLastError.KERNEL32(0000000E), ref: 005CDC98
GetCurrentThreadId.KERNEL32 ref: 005CDCC7
EnterCriticalSection.KERNEL32(00652C5C), ref: 005CDCE7
LeaveCriticalSection.KERNEL32(00652C5C), ref: 005CDD0B
DialogBoxParamW.USER32(000000D8,00000000,Function_0003BD70,00000000), ref: 005CDD28

Part of subcall function 005F1F2A: GetProcessHeap.KERNEL32(00000008,00000008,?,005BA67E), ref: 005F1F2F
Part of subcall function 005F1F2A: HeapAlloc.KERNEL32(00000000), ref: 005F1F36

Strings

\,e, xrefs: 005CDCD0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalHeapSection$ActiveAllocCurrentDialogEnterErrorLastLeaveParamProcessThreadWindow
String ID: \,e
API String ID: 828238446-2651779263
Opcode ID: 3bd22507b967ad601f39fc5490182c72718fdfd70018a5e3ba82a36f0dfa0391
Instruction ID: 7a0b6b9ab7b11a1e06c6ef54bfbe65cb9f84ad49d2d222da8b19a1bff80517a8
Opcode Fuzzy Hash: 3bd22507b967ad601f39fc5490182c72718fdfd70018a5e3ba82a36f0dfa0391
Instruction Fuzzy Hash: 7131E136A04745AFC720CFA8EC09B9DBBB5FB45715F10466EE915EB780C7B16801CBA1

Function 005CCEB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 005CCEF3
GetWindowLongW.USER32(?,000000F0), ref: 005CCF08
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005CCF20
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 005CCF5D
IsWindow.USER32(00000000), ref: 005CCF67
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 005CCF7D

Part of subcall function 005F1F2A: GetProcessHeap.KERNEL32(00000008,00000008,?,005BA67E), ref: 005F1F2F
Part of subcall function 005F1F2A: HeapAlloc.KERNEL32(00000000), ref: 005F1F36

Strings

tooltips_class32, xrefs: 005CCF56

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Heap$AllocCreateMessageProcessSend
String ID: tooltips_class32
API String ID: 1584627587-1918224756
Opcode ID: e0420c31fddb5e24f9ad0899e8b5c45aafaf26a8dd6a703a207417e259a5db5e
Instruction ID: 27aa4ea697b573d4da5a1c01a56c1d6b60de1fc27c1709baad8e188bc229007f
Opcode Fuzzy Hash: e0420c31fddb5e24f9ad0899e8b5c45aafaf26a8dd6a703a207417e259a5db5e
Instruction Fuzzy Hash: 8021A375204602BFDB109F64DC49F26BFAAFB49721F105319F519D36E0DB70A851CBA4

Function 005A5090 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 005A50A2
LocalFree.KERNEL32(?,?,?), ref: 005A50B6
GetLastError.KERNEL32 ref: 005A50F8
LocalAlloc.KERNEL32(00000040,00000014), ref: 005A5138
GetLastError.KERNEL32 ref: 005A5152
LocalFree.KERNEL32(?), ref: 005A5163

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Strings

sFa, xrefs: 005A50EE
}Fa, xrefs: 005A512A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocAllocateHeap
String ID: sFa$}Fa
API String ID: 1027944315-3528513635
Opcode ID: cd295186d693bf61c6f205831eee928c0be58aa57f237278f22fbe85ae86317a
Instruction ID: f8becf4cb6f8b8d534912dcf7800bc0535efe87003f9bc460992f99e4a986442
Opcode Fuzzy Hash: cd295186d693bf61c6f205831eee928c0be58aa57f237278f22fbe85ae86317a
Instruction Fuzzy Hash: 5E31F470604B02AFD7309F29EC48B6BBBE9BB45705F00892DE986C2690E774D549CBA1

Function 005F1DC8 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,005F1F72,00000000), ref: 005F1DEC
HeapAlloc.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1DF3

Part of subcall function 005F1EBE: IsProcessorFeaturePresent.KERNEL32(0000000C,005F1DDA,00000000,?,005F1F72,00000000), ref: 005F1EC0

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,005F1F72,00000000), ref: 005F1E03
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,005F1F72,00000000), ref: 005F1E2A
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,005F1F72,00000000), ref: 005F1E3E
InterlockedPopEntrySList.KERNEL32(00000000,?,005F1F72,00000000), ref: 005F1E51
VirtualFree.KERNEL32(00000000,00000000,00008000,?,005F1F72,00000000), ref: 005F1E64

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 361adf408d7a000a8b9092989a4f833499b27e918decbab6a2a0b67c11647ad4
Instruction ID: f8174b59e0aa71b746dfbaf8ffb511f8fc3a9bf250461e0ecbe158e0a2524ec5
Opcode Fuzzy Hash: 361adf408d7a000a8b9092989a4f833499b27e918decbab6a2a0b67c11647ad4
Instruction Fuzzy Hash: 1011E271606E1AEBE7311B64AC48F7B3E6EBB45781F105530FF01DA150DA28CC0246B8

Function 005D0160 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005D027A
ResetEvent.KERNEL32(?,?,?,?,?,?,?,POST,?,?,-00000010), ref: 005D0475
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D0495
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D04A0

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 005D1750: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,5D2E80A5,?,?,00000000), ref: 005D178F
Part of subcall function 005D1750: GetLastError.KERNEL32 ref: 005D17B0
Part of subcall function 005D1750: CloseHandle.KERNEL32(?), ref: 005D1A94

Strings

POST, xrefs: 005D032E
.part, xrefs: 005D0225

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastObjectSingleWait$CloseCreateEventFileHandleHeapProcessReset
String ID: .part$POST
API String ID: 2995559500-3433193937
Opcode ID: 9233b5e89f359b804edd80be26071f52c7f356a38ab6953fe15da0bf13af6d59
Instruction ID: 796a99200f543d6c26d7d3a42ceaba87fafd3da6a6f95449a822cbeaaa808266
Opcode Fuzzy Hash: 9233b5e89f359b804edd80be26071f52c7f356a38ab6953fe15da0bf13af6d59
Instruction Fuzzy Hash: 30128831A00649EFDB10DFA8C848BAEBBB5FF48314F14525AF815A7391DB74AA05CF91

Function 005C8D20 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 385registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,FF005A32,FF005A22,FF005A4E,FF005A3A,?,?), ref: 005C909C
RegQueryValueExW.ADVAPI32(?,?,00000000,FF005A32,00000010,FF005A4E), ref: 005C9116
RegCloseKey.ADVAPI32(?), ref: 005C91F0

Strings

2#vp1#v, xrefs: 005C9628
p2#v3#v, xrefs: 005C9650, 005C9740
0!X, xrefs: 005C9634, 005C97A0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Close
String ID: 2#vp1#v$0!X$p2#v3#v
API String ID: 1979452859-3019436278
Opcode ID: b29e092f608a58aa1c91fbf00b648bf76f7be7e33f6db7d31a49010614ec0b20
Instruction ID: 3782c6cfaeb572905de177998038d9f2a93a917eeefd0c69b766169bda779339
Opcode Fuzzy Hash: b29e092f608a58aa1c91fbf00b648bf76f7be7e33f6db7d31a49010614ec0b20
Instruction Fuzzy Hash: 4CF18C759016199FDB20DFA8CC8CBADBBB5BF48320F1442D9E419A7291DB34AE85CF50

Function 005A1030 Relevance: 10.9, APIs: 7, Instructions: 351stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005A1950: CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A1986
Part of subcall function 005A1950: CharNextW.USER32(00000000,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19AB
Part of subcall function 005A1950: CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19BF
Part of subcall function 005A1950: CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19CB

lstrcmpiW.KERNEL32(?,006348FC,?,5D2E80A5,00000000,00000000,?), ref: 005A10B1
lstrcmpiW.KERNEL32(?,006337C4), ref: 005A10CC
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 005A1346
CharNextW.USER32(?,?), ref: 005A1439
CharNextW.USER32(00000000), ref: 005A1453

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CharNext$lstrcmpi$From
String ID:
API String ID: 298784196-0
Opcode ID: 7c7099e6290e463d34b3b48164a25282e20609779a76c25aff2169e60cee51e7
Instruction ID: a9aad1dfdd140332b6b3706481fa533413df41a8d33f4ec977879640abfee022
Opcode Fuzzy Hash: 7c7099e6290e463d34b3b48164a25282e20609779a76c25aff2169e60cee51e7
Instruction Fuzzy Hash: F3D1E074900609DFCF24CF68C889BEE7BB4FF4A300F144229E955AB291EB749A45CB58

Function 005A6400 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 306COMMON

Download Yara Rule

APIs

Part of subcall function 005A6400: GetFileAttributesW.KERNEL32(?,?,?,00632E60,00000001,5D2E80A5,?,?,00000000), ref: 005A6681
Part of subcall function 005A6400: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 005A6692
Part of subcall function 005A6400: FindNextFileW.KERNEL32(-00000001,?,?,?,00000000), ref: 005A6706

GetFileAttributesW.KERNEL32(?,?,?,00632E60,00000001,5D2E80A5,?,?,00000000), ref: 005A66A5
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 005A66B6

Strings

p2#v3#v, xrefs: 005A6706

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID: p2#v3#v
API String ID: 3019667586-1446698346
Opcode ID: 071778cbe4a853bb8265d499bbc6c7a287165eb246221778597bb3735de3b600
Instruction ID: bcbf094cf373cadae19edee0d0417cb40336ae6df322ae288a53fe5d36f45394
Opcode Fuzzy Hash: 071778cbe4a853bb8265d499bbc6c7a287165eb246221778597bb3735de3b600
Instruction Fuzzy Hash: 58A1E031A006099FDB20EF68CD59BAEBBB9FF45310F184629E915A72D1DB74AE04CB50

Function 005F8591 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 005F86B0
___TypeMatch.LIBVCRUNTIME ref: 005F87BE
CallUnexpected.LIBVCRUNTIME ref: 005F892B

Strings

csm, xrefs: 005F85CE
csm, xrefs: 005F863B
csm, xrefs: 005F86E7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: b2ea39934ad8a367a3563f3e197e05744af9ef339543b7504077e680095936e0
Instruction ID: 7b3efdb28a8eb68ae0c50dc989240dd9644f93dbe5a05f968b2e2994018c2702
Opcode Fuzzy Hash: b2ea39934ad8a367a3563f3e197e05744af9ef339543b7504077e680095936e0
Instruction Fuzzy Hash: 32B1677180020EEFCF14EFA4C8859BEBFB5BF54310B54485AEA016B216DB79DA51CF91

Function 005D2740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

?Fa, xrefs: 005D29E1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess
String ID: ?Fa
API String ID: 54951025-1289798386
Opcode ID: 23aab4fa4c6f6c7e36e68bc1637cc4655dfba031e2fb37d37d12d6bc1543417b
Instruction ID: c15cd7bf6d3e9b5dad136627717f28a271b896607149337e646e4cab2e2d781c
Opcode Fuzzy Hash: 23aab4fa4c6f6c7e36e68bc1637cc4655dfba031e2fb37d37d12d6bc1543417b
Instruction Fuzzy Hash: 5E918D31A00649DFDB21DFA8C888B9DBFB6FF48324F14815AE915A7391CBB49D01CB91

Function 005CE0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 005CE17F
GetWindowLongW.USER32(?,000000FC), ref: 005CE18E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 005CE1A9
GetWindowLongW.USER32(?,000000FC), ref: 005CE1C3
SetWindowLongW.USER32(?,000000FC,?), ref: 005CE1D5

Strings

$, xrefs: 005CE101

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: e10010d15d706efd095281a6ff605a4e91fa84e0568a6ffec8b94df494f614e4
Instruction ID: 88e37f7b5a22988622e59593fef1b895c93db4028af5c6cbb6b0c965f876d74b
Opcode Fuzzy Hash: e10010d15d706efd095281a6ff605a4e91fa84e0568a6ffec8b94df494f614e4
Instruction Fuzzy Hash: 244146B1608B02AFC710DF59C885A2AFBF5FB88320F144A1DF99583660C772A965DB91

Function 005BBD70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00652C5C,5D2E80A5), ref: 005BBDAD
GetCurrentThreadId.KERNEL32 ref: 005BBDC1
LeaveCriticalSection.KERNEL32(00652C5C), ref: 005BBDFF
SetWindowLongW.USER32(?,00000004,00000000), ref: 005BBE65

Strings

\,e, xrefs: 005BBD9A
\,e, xrefs: 005BBE6B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID: \,e$\,e
API String ID: 3550545212-381317129
Opcode ID: 9098f24faa1898981eb3808e5849930e317d8353cac64193b25bca6eeea71aaa
Instruction ID: f9a2ec44a343ca4fbdf479314dd31563d82b00387efccc4eb160379bea3506cc
Opcode Fuzzy Hash: 9098f24faa1898981eb3808e5849930e317d8353cac64193b25bca6eeea71aaa
Instruction Fuzzy Hash: DB31D232A04615DFDB20CF25DC09BAABFBAFF45760F04462AE81593350DBB4A800DBA0

Function 005AF6E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000000,FF005C1A,?), ref: 005AF6FF
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 005AF715
FreeLibrary.KERNEL32(00000000), ref: 005AF758
FreeLibrary.KERNEL32(00000000), ref: 005AF774

Strings

Shlwapi.dll, xrefs: 005AF6F8
DllGetVersion, xrefs: 005AF70F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 87830b549792e3e02e32234661a652ed5db8da8533a6abe8e72bf4e3e41a3162
Instruction ID: 2be6e224aeffee14c1d41cf86af4cce7e62afecd6149bce32b606942bef9dacf
Opcode Fuzzy Hash: 87830b549792e3e02e32234661a652ed5db8da8533a6abe8e72bf4e3e41a3162
Instruction Fuzzy Hash: 82218E796043058BD320DF69E88592BFBE5FFDD311F40192DF459C3250EA35948A8BA2

Function 005ED2F0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 005ED30D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005ED31D
GetLastError.KERNEL32 ref: 005ED32D
CloseHandle.KERNEL32(?), ref: 005ED357
GetLastError.KERNEL32 ref: 005ED361
CreateSemaphoreW.KERNEL32(00000000,00000000,00000003,00000000), ref: 005ED386
GetLastError.KERNEL32 ref: 005ED393

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CreateEvent$CloseHandleResetSemaphore
String ID:
API String ID: 3310109588-0
Opcode ID: fcc581158523d4c71af6cfc01019fc24516deb4cd0fb996ece5833175dc0e2d5
Instruction ID: 48e8273b1acd2874c9e67e41c27b3f97f95db6faa826c8a6d904c90353264b7c
Opcode Fuzzy Hash: fcc581158523d4c71af6cfc01019fc24516deb4cd0fb996ece5833175dc0e2d5
Instruction Fuzzy Hash: 6B216FB0304B42DBEB385F26DC59B277BF9BF48745F105829E986D6290E770E8048B72

Function 005D3A20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,00000000,005D2C42,?,?,?,?,?,00000003,00000000,5D2E80A5,?,?), ref: 005D3A33
GetLastError.KERNEL32(?,?,?,00000000,005D2C42,?,?,?,?,?,00000003,00000000,5D2E80A5,?,?), ref: 005D3A60
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,00000000,005D2C42,?,?,?,?,?,00000003,00000000,5D2E80A5), ref: 005D3A9A
SetEvent.KERNEL32(?,?,?,?,00000000,005D2C42,?,?,?,?,?,00000003,00000000,5D2E80A5,?,?), ref: 005D3AC3

Strings

B,], xrefs: 005D3A3A
!Fa, xrefs: 005D3A56

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID: !Fa$B,]
API String ID: 708712559-4182801914
Opcode ID: db67445cd3edcec5fe6f78e38a4cbe6806d592cf41e13cffd5cf6660e0bf42e8
Instruction ID: 891aa2a491e56ee85fd7a072d77fd4e232b2dbf915de7744ba4c865f6a0e6153
Opcode Fuzzy Hash: db67445cd3edcec5fe6f78e38a4cbe6806d592cf41e13cffd5cf6660e0bf42e8
Instruction Fuzzy Hash: 5A1181363057409FDB309B59E888B1A7F96FB95322F14982FE08386661C730E999D762

Function 005F1648 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,005F16C3,005F1622,005F1944), ref: 005F165F
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005F1675
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005F168A

Strings

ReleaseSRWLockExclusive, xrefs: 005F167F
KERNEL32.DLL, xrefs: 005F165A
AcquireSRWLockExclusive, xrefs: 005F166F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: c9af5cf4c89056954ab3f70f77e658e1b0569e5427e84628acc34bd4c73297a9
Instruction ID: b5edde80a4d28146309e550f6d209adb9aa5488d0728288a136b543e97375375
Opcode Fuzzy Hash: c9af5cf4c89056954ab3f70f77e658e1b0569e5427e84628acc34bd4c73297a9
Instruction Fuzzy Hash: 1FF022B1300E27CB5B309F706E989762EDEBA06B043081639EB05C7A40D71CCC428B98

Function 005C4390 Relevance: 10.5, APIs: 7, Instructions: 43sleepwindowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 005C43A3
SetWindowTextW.USER32(00000000,?), ref: 005C43AE
GetDlgItem.USER32(?,0000040B), ref: 005C43BC
SendMessageW.USER32(00000000,00000410,00000002,00000000), ref: 005C43CE
ShowWindow.USER32(00000000,00000000), ref: 005C43D7
Sleep.KERNEL32(000000C8), ref: 005C43E2
ShowWindow.USER32(00000000,00000001), ref: 005C43EB

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemShow$MessageSendSleepText
String ID:
API String ID: 106862907-0
Opcode ID: 0cf416f42c25889029835f5d2512087db1ddb37b2bb460428e5a1fdd86aefc98
Instruction ID: b114eb882a0d8bbce12983dde7d797769446aab0426674fb07a5a556c7a5bdca
Opcode Fuzzy Hash: 0cf416f42c25889029835f5d2512087db1ddb37b2bb460428e5a1fdd86aefc98
Instruction Fuzzy Hash: B5012C31645B10BFDB219B60DC0AF9A7BA6BF48B11F045414FB01A71A0C7B05862DF59

Function 00607DA0 Relevance: 9.3, APIs: 6, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8586c5d71feaed562c3cb2398b7223cb6986c6d880ff178101deb1bcaa2171fe
Instruction ID: 3c731893c5215d8f21962900dbc8ae75a2518bd52f4994b8ece95b2dd1b4ee5b
Opcode Fuzzy Hash: 8586c5d71feaed562c3cb2398b7223cb6986c6d880ff178101deb1bcaa2171fe
Instruction Fuzzy Hash: 1BB16772D4435A9FDB19CF24C881BEFBBA2EF59300F144095E945AB3C2D674AD01CBA0

Function 006128F9 Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7b020f870fc2e676513587cb6b10cd0c5e01f8ab6612b4606e273ec53c836
Instruction ID: 21d01d27ae0b6843ef3d793787c1352d52ba3a045454d3fdcdf1ff64a154f69e
Opcode Fuzzy Hash: e1a7b020f870fc2e676513587cb6b10cd0c5e01f8ab6612b4606e273ec53c836
Instruction Fuzzy Hash: A2B1D2B0A0424AAFDB11DFA9C8A1BFD7BB3BF45304F184159E500A7392D7749DA2CB61

Function 005B7B45 Relevance: 9.2, APIs: 6, Instructions: 230fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005A7C78: ShellExecuteExW.SHELL32(0000003C), ref: 005A7D54
Part of subcall function 005A7C78: GetLastError.KERNEL32 ref: 005A7D65

ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 005B7BA3
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 005B7BD5
CloseHandle.KERNEL32(?), ref: 005B7C8A
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005B7CD1
CloseHandle.KERNEL32(?,?,00632ECC), ref: 005B7D36
CloseHandle.KERNEL32(?), ref: 005B7D6C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseFileHandle$CreateErrorExecuteLastReadShellWrite
String ID:
API String ID: 521638843-0
Opcode ID: c39ae0e57bf1f2c8fd5c8aac49451e8e142b6f5757e3609979e7def63bceae52
Instruction ID: 112dcbac37b09fd5fdb98c6b5511907be6293f5422d644bbdcd42d611bd1bd81
Opcode Fuzzy Hash: c39ae0e57bf1f2c8fd5c8aac49451e8e142b6f5757e3609979e7def63bceae52
Instruction Fuzzy Hash: 65915970A042099FCB14DFA8C895BEDBFB5BF88310F244169E815AB291DB74AD45CBA4

Function 00588D00 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00588D4A
std::_Lockit::_Lockit.LIBCPMT ref: 00588D6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00588D94
__Getctype.LIBCPMT ref: 00588E75
std::_Facet_Register.LIBCPMT ref: 00588ED7
std::_Lockit::~_Lockit.LIBCPMT ref: 00588F0B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 6bf75f34d687406032ca8b1ae44c9608131995e9ed10da1633e2881d1e4a10a0
Instruction ID: 430076d7def1aee1a3afa5864dc463fdf7ee3bf3a859e4febe3572234dffbc34
Opcode Fuzzy Hash: 6bf75f34d687406032ca8b1ae44c9608131995e9ed10da1633e2881d1e4a10a0
Instruction Fuzzy Hash: B861AEB0D0064ADFDB00DF68C9457A9FBF5FF65310F148259D805AB391DB74AA84CB91

Function 0058D0B0 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0058D0ED
std::_Lockit::_Lockit.LIBCPMT ref: 0058D10F
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D137
__Getcoll.LIBCPMT ref: 0058D201
std::_Facet_Register.LIBCPMT ref: 0058D246
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D287

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 86b902ffc3ba1271d5f4521804ddf38cf1cc57fd70926d5acbb3b6b3cbce1cd4
Instruction ID: 3f1ccc8b3cf40bb6123c96ac90cd846ccdd42a580f693be951189afaf39efe92
Opcode Fuzzy Hash: 86b902ffc3ba1271d5f4521804ddf38cf1cc57fd70926d5acbb3b6b3cbce1cd4
Instruction Fuzzy Hash: EF51ABB0D00209EFDB01EF94D888BADBFF5FF84310F244159E805AB291DB74AA45CBA1

Function 005A1950 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A1986
CharNextW.USER32(00000000,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19AB
CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19BF
CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A19CB
CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A1A31
CharNextW.USER32(?,?,00000000,0000007B,?,?,005A262C,00000000,?,00000000,?,00000000,00000000,00000000,005A28BE,?), ref: 005A1A5E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 60295d0b5c23068d6169e21cebcc9af9091be850df41e085d1d651af5e78e4e8
Instruction ID: 37fea6247b2401176bb499c675993658fcfce2fd23567ba666733de4668f48e4
Opcode Fuzzy Hash: 60295d0b5c23068d6169e21cebcc9af9091be850df41e085d1d651af5e78e4e8
Instruction Fuzzy Hash: BF410236601A428FCB20CF28CC845BEBBE7FFD9315F95852AE8468B250EB318D41C794

Function 005A7A90 Relevance: 9.1, APIs: 6, Instructions: 103processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005A7B3F
GetLastError.KERNEL32 ref: 005A7B50
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005A7B66
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 005A7B77
CloseHandle.KERNEL32(?), ref: 005A7B81
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 005A7B9C

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ProcessWow64$CloseCodeCreateErrorExitHandleLastObjectRedirectionRevertSingleWait
String ID:
API String ID: 3742689608-0
Opcode ID: c822f0282379f476cf1b2fd910214e4a04b0e83d784e3a79bb83ec0db3ddaf5c
Instruction ID: d45792f916881f5a86cc71d2eee94af46b790571e1637fa71d42f107dcbdea1f
Opcode Fuzzy Hash: c822f0282379f476cf1b2fd910214e4a04b0e83d784e3a79bb83ec0db3ddaf5c
Instruction Fuzzy Hash: A8416DB1E0874DDBDB10CFA5CD45BAEBBB9FB59710F109259E821A7290E73099448FA0

Function 005AC7B0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.IMAGEHLP(?,?,?,?,5D2E80A5), ref: 005AC85E

Part of subcall function 005AC210: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 005AC26E
Part of subcall function 005AC210: GetProcAddress.KERNEL32(00000000), ref: 005AC275

Strings

%hs:%ld, xrefs: 005AC9FB
[0x%.8Ix] , xrefs: 005ACB37
-> , xrefs: 005ACCDE
%hs(), xrefs: 005ACC01

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddrAddressFromLibraryLineLoadProc
String ID: -> $%hs()$%hs:%ld$[0x%.8Ix]
API String ID: 2196328783-3499247214
Opcode ID: 0fd9f1a571000f65b169b92cef51d0c7b0b9a17e4433a0f3e0d67c29149142ec
Instruction ID: c2965ab78842829d591beeca25e9adda7153531752cc47a865c1377ebfad733c
Opcode Fuzzy Hash: 0fd9f1a571000f65b169b92cef51d0c7b0b9a17e4433a0f3e0d67c29149142ec
Instruction Fuzzy Hash: 5CE19A70D002699ADB28DF24CC98BEEBBB5FF85314F1042D9E519A7281DB785B84CF90

Function 005D5E10 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000425), ref: 005D5E2D
GetWindowTextLengthW.USER32(00000000), ref: 005D5E38
GetWindowTextW.USER32(?,?,?), ref: 005D5E91
MessageBeep.USER32(000000FF), ref: 005D5ED6
GetDlgItem.USER32(?,00000425), ref: 005D5EEB
SetFocus.USER32(00000000), ref: 005D5EF2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ItemTextWindow$BeepFocusLengthMessage
String ID:
API String ID: 2221317226-0
Opcode ID: 972234182ec02d5b8e959bb7fee0490c3eb7fb72f158f045028816d098938a05
Instruction ID: b22ec90a2733a1c332f6306c2766940c86dde1deb4c1744f1675174bb55a9786
Opcode Fuzzy Hash: 972234182ec02d5b8e959bb7fee0490c3eb7fb72f158f045028816d098938a05
Instruction Fuzzy Hash: 5231E271601A06DFCB14EF2CC889C6EBFA5FF84311B10466EF815CB2A0EB31A955DB90

Function 005CE270 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000100,?,80000000), ref: 005CE2F3
VerSetConditionMask.KERNEL32(00000000), ref: 005CE2FB
VerSetConditionMask.KERNEL32(00000000), ref: 005CE303
VerifyVersionInfoW.KERNEL32(?), ref: 005CE32C
GetParent.USER32(005CCF9A), ref: 005CE349
SendMessageW.USER32(?,00000432,00000000,00000023), ref: 005CE382

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ConditionMask$InfoMessageParentSendVerifyVersion
String ID:
API String ID: 2374517313-0
Opcode ID: 08757dcf89db17e20686d156ccf9b235c2371ac89d82a7c54bf81614762a88f4
Instruction ID: 6c4f35cb8f2608107527d7d2e87d4cb5c5369878950da7491c9ff7fc6f1c1ba9
Opcode Fuzzy Hash: 08757dcf89db17e20686d156ccf9b235c2371ac89d82a7c54bf81614762a88f4
Instruction Fuzzy Hash: 7A3171B1558344AFE320DF64DC0AB9BBBE8FBC9704F008A1EF588D6290D7B496448F56

Function 005F0650 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 005EF400: WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 005EF45E
Part of subcall function 005EF400: GetLastError.KERNEL32 ref: 005EF469

SetEvent.KERNEL32(?,?,00000000,?,?,?,005F0A9E,?), ref: 005F069A
GetLastError.KERNEL32(?,?,005F0A9E,?), ref: 005F06A4
SetEvent.KERNEL32(?,?,?,005F0A9E,?), ref: 005F06B0
GetLastError.KERNEL32(?,?,005F0A9E,?), ref: 005F06BA
EnterCriticalSection.KERNEL32(?,?,?,005F0A9E,?), ref: 005F06D8
LeaveCriticalSection.KERNEL32(?,?,?,005F0A9E,?), ref: 005F06F4

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CriticalEventSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 3090723020-0
Opcode ID: 01e89b48096dc29ff39f598d7ab07706ff67f77e4abca18223a408d7e3209cb9
Instruction ID: b4e76d942dfe9391f0bc80fea3cd1d3a9e222183253897989b94b54f422ca982
Opcode Fuzzy Hash: 01e89b48096dc29ff39f598d7ab07706ff67f77e4abca18223a408d7e3209cb9
Instruction Fuzzy Hash: 0F21D371600B08CFC720DFA9D808BABBBE9FF88710F08591EE65AC7251D734A8118B60

Function 005F65DA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005F65D1,005ACFDC,006337E8,00000002,5D2E80A5), ref: 005F65E8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F65F6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F660F
SetLastError.KERNEL32(00000000,?,005F65D1,005ACFDC,006337E8,00000002,5D2E80A5), ref: 005F6661

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 77ea6750ae05ffb764b913e68c17cf837c1a7b6b056d72c4ec318dc25777e9c0
Instruction ID: 0bab34696d4d3b45ddc4ead69a27bc26c514cf36b0b6b4ac28fd0cff6b7426f0
Opcode Fuzzy Hash: 77ea6750ae05ffb764b913e68c17cf837c1a7b6b056d72c4ec318dc25777e9c0
Instruction Fuzzy Hash: 3C01F73620D71B5EAB2427747C8EA3B2F56FB637783201A39F724960E0EF6A8C115244

Function 005EF1E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,005F0A50), ref: 005EF1EB
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,005F0A50), ref: 005EF1FB
GetLastError.KERNEL32 ref: 005EF20C
ResetEvent.KERNEL32(?), ref: 005EF228
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EF238
GetLastError.KERNEL32 ref: 005EF249

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: de3999965884ae98d1144089be69cd3881d9c1fd070118b34ca8fb27bc3c39e4
Instruction ID: 6304bf1bb8fbe408772567452c377e6eba84b9b58a21323dd16ee68d1c4ca5e1
Opcode Fuzzy Hash: de3999965884ae98d1144089be69cd3881d9c1fd070118b34ca8fb27bc3c39e4
Instruction Fuzzy Hash: 8B012C3834A7429BEB7C5B76AC19F263AD57B40B01F10543DFA87D52C0EFA0E8019B14

Function 005BED00 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 005BEE88
GetForegroundWindow.USER32(?,?,?,0061FB6D,000000FF), ref: 005BEE98
SetForegroundWindow.USER32(00000000), ref: 005BEED2

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

OutputDebugStringW.KERNEL32(?,5D2E80A5,00000000,?,?,?,?,?,0061FB6D,000000FF,?,005CB890,?,?,?,?), ref: 005BEF3B

Strings

he, xrefs: 005BED9F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
String ID: he
API String ID: 799693181-2125610711
Opcode ID: 9e17bda1e1d355d3fcf7dee10338879fa61219204d4ca6d44a83b944af71e362
Instruction ID: 3e533aa2808a2d5a23d57de041559ce075c0e9f2f76a5df88db57f02b1d9cfda
Opcode Fuzzy Hash: 9e17bda1e1d355d3fcf7dee10338879fa61219204d4ca6d44a83b944af71e362
Instruction Fuzzy Hash: 3D71C175A006058FDB14DF68C85A6EEBBF6FF88320F19415DE815A7390DB35AD02CB91

Function 005AA540 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,5D2E80A5), ref: 005AA57C
EnterCriticalSection.KERNEL32(?,5D2E80A5), ref: 005AA589
OutputDebugStringW.KERNEL32(?,?,00000000), ref: 005AA655
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0061BE7D,000000FF), ref: 005AA718

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 005AA5D0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: c655fb7a26acba359ae1a94e6b86f43a29fe8db2fc27487109c2db6e0f4eecd5
Instruction ID: acfa3e07e636657dfd425dcb8874b3e3d95fd3c5391731745050ec562d557392
Opcode Fuzzy Hash: c655fb7a26acba359ae1a94e6b86f43a29fe8db2fc27487109c2db6e0f4eecd5
Instruction Fuzzy Hash: 0061F035900615CFCF10DF68C814AAEBFB1FF4A310F190598E812AB391DB319E02DBA1

Function 005A71C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,5D2E80A5,?,?,00000000,?,?,?,?,?,?,?,?,00000000,0061B56F,000000FF), ref: 005A720B
CreateDirectoryW.KERNEL32(?,00000000,?,?,006337AC,00000001,?,5D2E80A5), ref: 005A72CA
GetLastError.KERNEL32(?,5D2E80A5), ref: 005A72D8

Strings

\\?\UNC\, xrefs: 005A6E59, 005A6EE1, 005A6EE7
\\?\, xrefs: 005A6F5F, 005A6F65

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: \\?\$\\?\UNC\
API String ID: 953296794-3019864461
Opcode ID: 66704687ea8df7babc2607f117edddf883e38aa0853b9f36b77dcc1b909d5ef6
Instruction ID: d02f6b7db0884704fbe428dbaa1e2ce604d5f2bb79d4a9077481550e1187c0ff
Opcode Fuzzy Hash: 66704687ea8df7babc2607f117edddf883e38aa0853b9f36b77dcc1b909d5ef6
Instruction Fuzzy Hash: 1B61B030A0460ACFDF14DFA8C899BADBBF5FF49310F154569E821E7291DB319905CBA1

Function 005B68D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 005B69AD
GetLastError.KERNEL32 ref: 005B69B5
RemoveDirectoryW.KERNEL32 ref: 005B6A15
GetLastError.KERNEL32 ref: 005B6A1D

Strings

H, xrefs: 005B6935

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID: H
API String ID: 50330452-2852464175
Opcode ID: 4871b1f82eaa79a1fe5e73198c3ab2285a5964a65f2137fbf86dc41e9955672b
Instruction ID: 214e9fa6c13feb7e2ebd0372d7926ad4efdd08ff394970e176d3bd2a51043d1b
Opcode Fuzzy Hash: 4871b1f82eaa79a1fe5e73198c3ab2285a5964a65f2137fbf86dc41e9955672b
Instruction Fuzzy Hash: 2E517E31900219CFCF20CFA4C989BEEBBB5FB45304F1585A8D805BB251D779B948CBA1

Function 0059F7F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00650A1C,5D2E80A5), ref: 0059F82F
DestroyWindow.USER32(00000000), ref: 0059F84D
LeaveCriticalSection.KERNEL32(00650A1C), ref: 0059F896

Strings

,e, xrefs: 0059F965
,e, xrefs: 0059F817

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$DestroyEnterLeaveWindow
String ID: ,e$,e
API String ID: 1456685395-3154685309
Opcode ID: e23bab8e57fabd8547ad78f9e920eab929eeaa2627167f463f275823ee7d4262
Instruction ID: 471855d4bb5f6accf02c3b5fff2c8c145360285efa2d1016e868d03584ab3f30
Opcode Fuzzy Hash: e23bab8e57fabd8547ad78f9e920eab929eeaa2627167f463f275823ee7d4262
Instruction Fuzzy Hash: 5341BC71A017119BEB20DF28DC09B1ABFFAFF45B15F180529E855EB790D7B4A840CB91

Function 00595440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00595484
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0059548A
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 005954DA

Strings

RoOriginateLanguageException, xrefs: 0059547A
combase.dll, xrefs: 0059547F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressErrorInfoLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 1186719886-3996158991
Opcode ID: e6f8e4b02d281e9535972b9793a91507a746908e1aa9ea731310434e3f50b4ac
Instruction ID: 31b75de52ffb3e73241166769d4b8b377b27f5caf6c80ed571abe9efd1c1eb4f
Opcode Fuzzy Hash: e6f8e4b02d281e9535972b9793a91507a746908e1aa9ea731310434e3f50b4ac
Instruction Fuzzy Hash: DA318A7190061ADBDF21DF94D849BAEBFB4FB40724F10022AE914A72D0E7B45E44CBD1

Function 006041D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5D2E80A5,00000000,?,00000001,00626170,000000FF,?,006041C6,?,?,0060419D,?,?), ref: 00604206
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00604218
FreeLibrary.KERNEL32(00000000,?,00000001,00626170,000000FF,?,006041C6,?,?,0060419D,?,?), ref: 0060423A

Strings

mscoree.dll, xrefs: 006041FF
CorExitProcess, xrefs: 00604210

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5cf9b6ec07e320c552a92164e97a5cedd10891cd2dc8f16ae303180d243a2f6c
Instruction ID: 0f4ac70cc54bd099063ea4eb06896e463c9ecea56461df7fae0010edccfa8c06
Opcode Fuzzy Hash: 5cf9b6ec07e320c552a92164e97a5cedd10891cd2dc8f16ae303180d243a2f6c
Instruction Fuzzy Hash: FD01D671A44A29EFDB218F50DC09FEFBBBAFB04B15F000525F811A26D0DB749900CB90

Function 005AC210 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005F46AF: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46BA
Part of subcall function 005F46AF: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583A56,00650848,5D2E80A5,?,?,0061516D,000000FF,?,005C10B6,5D2E80A5,?), ref: 005F46F4

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 005AC26E
GetProcAddress.KERNEL32(00000000), ref: 005AC275

Part of subcall function 005F465E: AcquireSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F4668
Part of subcall function 005F465E: ReleaseSRWLockExclusive.KERNEL32(0064FFB8,?,?,00583AC7,00650848,00626460), ref: 005F469B
Part of subcall function 005F465E: WakeAllConditionVariable.KERNEL32(0064FFB4,?,?,00583AC7,00650848,00626460), ref: 005F46A6

Strings

Dbghelp.dll, xrefs: 005AC269
7c, xrefs: 005AC229, 005AC299
SymFromAddr, xrefs: 005AC264

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr$7c
API String ID: 1702099962-559038804
Opcode ID: 72316650fdfd92583fb63781f39d3d34603d43d770af0fb88536a40e2acbedab
Instruction ID: 53d9674e712b0431f0b7c9ce390713c301efc75a5d522be5381b40590807726e
Opcode Fuzzy Hash: 72316650fdfd92583fb63781f39d3d34603d43d770af0fb88536a40e2acbedab
Instruction Fuzzy Hash: 0301DFB6944B46DFC710CF98ED09B0D7BA6F70AB25F108225F82AC33D1DB35A9008E51

Function 006071DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00607144,00000000,?,?,?,?,00607268,0000001A,AppPolicyGetProcessTerminationMethod,0062D708,AppPolicyGetProcessTerminationMethod,00000000), ref: 006071E9
GetLastError.KERNEL32(?,00607144,00000000,?,?,?,?,00607268,0000001A,AppPolicyGetProcessTerminationMethod,0062D708,AppPolicyGetProcessTerminationMethod,00000000,?,0060986F,00000000), ref: 006071F3
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 00607231

Strings

ext-ms-, xrefs: 00607216
api-ms-, xrefs: 00607200

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 376cb72d6a04a903aedbe9ca70c253a9b7d92e1ca469b2d922eed4c069b2360a
Instruction ID: 20e7d0d8d68c6597a17e6e64092f11cd90d710752f108ca2c0a71c316faec7b7
Opcode Fuzzy Hash: 376cb72d6a04a903aedbe9ca70c253a9b7d92e1ca469b2d922eed4c069b2360a
Instruction Fuzzy Hash: 88F0A771AC8605B7DB201F61EC06F6A3E5BBB51B45F104021FA4CA41E1D7B5FA5185D1

Function 005D6390 Relevance: 7.7, APIs: 5, Instructions: 216windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005D63B6
IsWindowVisible.USER32(?), ref: 005D6401
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005D6417
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005D660E
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 005D6627

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: adb1917d31627817be488fcfabf8374a2eac6b31e5d351d5b72cfc275a64c35f
Instruction ID: ea6912200841307730e8176cf615ba1e04e54be7e6ca27fcaab62ca2b9a99e1e
Opcode Fuzzy Hash: adb1917d31627817be488fcfabf8374a2eac6b31e5d351d5b72cfc275a64c35f
Instruction Fuzzy Hash: 7E911371A083519FC724CF18C884A1ABBF6BFC8710F554A1EF995A7290D771E846CB82

Function 005D5C00 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

SetWindowTextW.USER32(?,00623AD5), ref: 005D5C9E
GetDlgItem.USER32(?,0000042B), ref: 005D5D02
SetWindowTextW.USER32(00000000,00000000), ref: 005D5D0D
GetDlgItem.USER32(?,00000001), ref: 005D5D17
EnableWindow.USER32(00000000,00000000), ref: 005D5D20

Part of subcall function 005BBEA0: GetWindowLongW.USER32(?,000000F0), ref: 005BBEE7
Part of subcall function 005BBEA0: GetParent.USER32(00000000), ref: 005BBEFA
Part of subcall function 005BBEA0: GetWindowRect.USER32(?,?), ref: 005BBF13
Part of subcall function 005BBEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 005BBF26
Part of subcall function 005BBEA0: MonitorFromWindow.USER32(?,00000002), ref: 005BBF3E
Part of subcall function 005BBEA0: GetMonitorInfoW.USER32(00000000,?), ref: 005BBF54

Part of subcall function 005D5F10: GetWindowLongW.USER32(?,000000F0), ref: 005D5F3D
Part of subcall function 005D5F10: GetWindowLongW.USER32(?,000000F0), ref: 005D5F52
Part of subcall function 005D5F10: SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D5F69
Part of subcall function 005D5F10: GetWindowLongW.USER32(?,000000EC), ref: 005D5F82
Part of subcall function 005D5F10: SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D5F96
Part of subcall function 005D5F10: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 005D5FA4
Part of subcall function 005D5F10: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005D5FB7
Part of subcall function 005D5F10: GetDlgItem.USER32(?,0000E801), ref: 005D5FC4
Part of subcall function 005D5F10: IsWindow.USER32(00000000), ref: 005D5FCD
Part of subcall function 005D5F10: DestroyWindow.USER32(00000000,?,00000000), ref: 005D5FE9
Part of subcall function 005D5F10: GetClientRect.USER32(?,?), ref: 005D6041

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Item$MessageMonitorRectSendText$ClientDestroyEnableFromHeapInfoParentProcess
String ID:
API String ID: 3895391425-0
Opcode ID: a15ce603b19b32606f620832b2b11d8b6eaaeaf29c330f8568705dd69c6405d7
Instruction ID: cfe58b8cd95a1623e8901dd9bc8485003b57677c862bbb2461ce1b1d1cda48aa
Opcode Fuzzy Hash: a15ce603b19b32606f620832b2b11d8b6eaaeaf29c330f8568705dd69c6405d7
Instruction Fuzzy Hash: 8161A331A00A159FDB10EFA8CC99AAEBBB5FF48320F144169E511E73A1DB349E05DF91

Function 005CBC50 Relevance: 7.7, APIs: 5, Instructions: 175synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,5D2E80A5,00000000,?,?,?,?,?,?,?,00000000,006220FD,000000FF), ref: 005CBC8D
CreateThread.KERNEL32(00000000,00000000,005CC060,?,00000000,?), ref: 005CBCDD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005CBE07

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Create$EventObjectSingleThreadWait
String ID:
API String ID: 1077646455-0
Opcode ID: 4d51604c9497667c373cdb30da0f08c985db5bd784194131a6516907e1f20902
Instruction ID: 749931568fb287bc7c1e0fa6ae42685254b88b88daa357a67b1a41f3d2a9b64a
Opcode Fuzzy Hash: 4d51604c9497667c373cdb30da0f08c985db5bd784194131a6516907e1f20902
Instruction Fuzzy Hash: 93613975A002199FDB14CF98C885FAEBBB6FF88B10F254159E915AB394D730AD41CBA0

Function 005F416A Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005F417E
AcquireSRWLockExclusive.KERNEL32(0058FCB8,?,00000000,00626214,000000FF,?,0058FCB8), ref: 005F419D
AcquireSRWLockExclusive.KERNEL32(0058FCB8,?,?,?,00000000,00626214,000000FF,?,0058FCB8), ref: 005F41CB
TryAcquireSRWLockExclusive.KERNEL32(0058FCB8,?,?,?,00000000,00626214,000000FF,?,0058FCB8), ref: 005F4226
TryAcquireSRWLockExclusive.KERNEL32(0058FCB8,?,?,?,00000000,00626214,000000FF,?,0058FCB8), ref: 005F423D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e90ced768ae6fdfef4c4c3fdc5513428e457cec7f074ea970535cea7d13edd46
Instruction ID: d0153742bb6561cf7bcfc8f68392eb891a5385c3ccb39ebc21b39372b8a6d152
Opcode Fuzzy Hash: e90ced768ae6fdfef4c4c3fdc5513428e457cec7f074ea970535cea7d13edd46
Instruction Fuzzy Hash: 7341283890060ADBCB20CF64C48597BBBF9FF44350F204A2AE65697650D738E985CF50

Function 005AF7D0 Relevance: 7.6, APIs: 5, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005AF270: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,FF005A36,5D2E80A5,00000000,00000000,00000000), ref: 005AF2CB

GetFileVersionInfoSizeW.VERSION(?,FF005E62,?,5D2E80A5,00000000,?,00000000), ref: 005AF81D
GetFileVersionInfoW.VERSION(?,?,?,?,00000000), ref: 005AF849
VerQueryValueW.VERSION(?,006337AC,FF005E6A,FF005E5E), ref: 005AF861
GetLastError.KERNEL32 ref: 005AF88E
DeleteFileW.KERNEL32(?), ref: 005AF8A1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathQuerySizeValue
String ID:
API String ID: 1753006064-0
Opcode ID: d84739aa09db2cc07b85c9e28cdc2768e5798e2dd3166cac4268e451eddb9ea3
Instruction ID: fd49f98878622394c9c0a3e949db62a3c49479bd4fb1b5ecb60ba28c26e7a13e
Opcode Fuzzy Hash: d84739aa09db2cc07b85c9e28cdc2768e5798e2dd3166cac4268e451eddb9ea3
Instruction Fuzzy Hash: 93315CB1A0120AABDB14CFE5DD84BEFBFB8FF49750F144169E815A3240D7389944CBA1

Function 005EA880 Relevance: 7.6, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 005F0B70: SetEvent.KERNEL32(00000002,?,005EA8BE,5D2E80A5), ref: 005F0B7F
Part of subcall function 005F0B70: GetLastError.KERNEL32(?,005EA8BE,5D2E80A5), ref: 005F0B89
Part of subcall function 005F0B70: WaitForSingleObject.KERNEL32(?,000000FF,?,005EA8BE,5D2E80A5), ref: 005F0B99
Part of subcall function 005F0B70: GetLastError.KERNEL32(?,005EA8BE,5D2E80A5), ref: 005F0BA4
Part of subcall function 005F0B70: CloseHandle.KERNEL32(?,?,005EA8BE,5D2E80A5), ref: 005F0BB2

CloseHandle.KERNEL32(?,5D2E80A5), ref: 005EA8CA
GetLastError.KERNEL32 ref: 005EA8D4
CloseHandle.KERNEL32(?,5D2E80A5), ref: 005EA8F8
GetLastError.KERNEL32 ref: 005EA902
CloseHandle.KERNEL32(?,5D2E80A5), ref: 005EA92B
GetLastError.KERNEL32 ref: 005EA935

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2212007442-0
Opcode ID: ee8897d89aa0e17154aaabc5bc4a80566c81583c0944ce3d7518325f6fe04d82
Instruction ID: 9cf8bf085e84fc76bf92e2ad9b306b6645b809af6070bc8262965cd16394639c
Opcode Fuzzy Hash: ee8897d89aa0e17154aaabc5bc4a80566c81583c0944ce3d7518325f6fe04d82
Instruction Fuzzy Hash: FF2192B1908745DFD724CF69D908B5ABFF8FB00720F10465EE895D3280D775A904CBA1

Function 00594840 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00594850

Part of subcall function 005F2F0C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00594866,?,?,00000000,?,?,?,0058B64C), ref: 005F2F18
Part of subcall function 005F2F0C: GetExitCodeThread.KERNEL32(?,0058B64C,?,?,00594866,?,?,00000000,?,?,?,0058B64C), ref: 005F2F31
Part of subcall function 005F2F0C: CloseHandle.KERNEL32(?,?,?,00594866,?,?,00000000,?,?,?,0058B64C,?,?,?,?,00000000), ref: 005F2F43

std::_Throw_Cpp_error.LIBCPMT ref: 00594879
std::_Throw_Cpp_error.LIBCPMT ref: 00594880
std::_Throw_Cpp_error.LIBCPMT ref: 00594887
___std_exception_copy.LIBVCRUNTIME ref: 005948D1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait___std_exception_copy
String ID:
API String ID: 2568938302-0
Opcode ID: 6506f24a23fcda83dc4b5ca0d2eba09a199bd3ba13008b095a5be5dbb6987693
Instruction ID: fd129a2a6d560fcb7ac6263cbea8511cff0de61a32042c1383d104005df30985
Opcode Fuzzy Hash: 6506f24a23fcda83dc4b5ca0d2eba09a199bd3ba13008b095a5be5dbb6987693
Instruction Fuzzy Hash: D62108B1910719ABD720DF94CC06BA6BBEDFF05710F104A2EFA64976C0E7B5A900CB91

Function 00606A4E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00606C08,?,005FFA29,?,00000004,00000000,00000000,?,?,00604979,?,00000000,00000004,?), ref: 00606A51
SetLastError.KERNEL32(00000000,000000FF,?,005FFA29,?,00000004,00000000,00000000,?,?,00604979,?,00000000,00000004,?), ref: 00606A6B
SetLastError.KERNEL32(00000000,00000000,00000000,?,000000FF,?,005FFA29,?,00000004,00000000,00000000,?,?,00604979,?,00000000), ref: 00606AA1

Strings

Xd, xrefs: 00606AD2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast
String ID: Xd
API String ID: 1452528299-2515267296
Opcode ID: 83eea9e9403b15d5d460aa6bd35f82de603302a884bec2d396141c30e06057b1
Instruction ID: afe461900eb22d72d3e7aa6bd9f88bda5c68211585c37d6f1a3b31ed0dc1817d
Opcode Fuzzy Hash: 83eea9e9403b15d5d460aa6bd35f82de603302a884bec2d396141c30e06057b1
Instruction Fuzzy Hash: 4201DE317C86117EE75D37B0FC4AE2B2A5BEF813A8B004538F901A11E2EA615C225269

Function 00594B80 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00594BCA
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00594BD0
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000), ref: 00594BF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00594C1B
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00594C21

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: db100d593ef1f892fbe6edf5e119ee91ad997d42a33b5a9b901a8b7b639aa32b
Instruction ID: d2fe34740f8723a7c8b383471295a2d157f89d0d0141eb3da77aafedb3d4f35a
Opcode Fuzzy Hash: db100d593ef1f892fbe6edf5e119ee91ad997d42a33b5a9b901a8b7b639aa32b
Instruction Fuzzy Hash: 1E1146B1A44219ABEF00DF94DC09FAFBBBCFB44B04F104519F914AB2C1D7B599048B95

Function 005F0B70 Relevance: 7.5, APIs: 5, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000002,?,005EA8BE,5D2E80A5), ref: 005F0B7F
GetLastError.KERNEL32(?,005EA8BE,5D2E80A5), ref: 005F0B89
WaitForSingleObject.KERNEL32(?,000000FF,?,005EA8BE,5D2E80A5), ref: 005F0B99
GetLastError.KERNEL32(?,005EA8BE,5D2E80A5), ref: 005F0BA4
CloseHandle.KERNEL32(?,?,005EA8BE,5D2E80A5), ref: 005F0BB2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleObjectSingleWait
String ID:
API String ID: 891035169-0
Opcode ID: a9dfa3b65616a78e235fa0e5b1fc4e08bd925b3757b58f32e9eef5a53a976c9e
Instruction ID: 8b1e2e6be85051b72e5b671b9b3e45f8fcd43ff1deec2e14871edd775707c1e0
Opcode Fuzzy Hash: a9dfa3b65616a78e235fa0e5b1fc4e08bd925b3757b58f32e9eef5a53a976c9e
Instruction Fuzzy Hash: 76F05B702056058BD7305B35BC08F6B7BD97F14379B189615E962C22D1D774D8058660

Function 005B6530 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 306fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,5D2E80A5,?), ref: 005B659F
CloseHandle.KERNEL32(?), ref: 005B6744

Strings

0ic, xrefs: 005B6563
,ic, xrefs: 005B656A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseDeleteFileHandle
String ID: ,ic$0ic
API String ID: 2633145722-262660716
Opcode ID: 1f68ec4728e9e17963044378f18a8f814fe069908a6d497d105942b79e8ffc92
Instruction ID: 2abdba09a8f60af4e5723276f04773e79fe856590c4e190844a457d4e85a8873
Opcode Fuzzy Hash: 1f68ec4728e9e17963044378f18a8f814fe069908a6d497d105942b79e8ffc92
Instruction Fuzzy Hash: 3CC1A034A01645CFDB01DF68C95879C7BE5FF49320F1981A9D859AB3D2CB34AE02DBA1

Function 005AB620 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 005AFB40: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00650A68), ref: 005AFB50
Part of subcall function 005AFB40: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00650A68), ref: 005AFB63
Part of subcall function 005AFB40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 005AFB73

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00650A68), ref: 005AB710

Part of subcall function 00583620: RtlAllocateHeap.NTDLL(00000000,00000000,?,5D2E80A5,00000000,00615110,000000FF,?,?,0064B028,?,?,005C1A0D,80004005,5D2E80A5,?), ref: 0058366A

Strings

Everyone, xrefs: 005AB72C
ADVINST_LOGS, xrefs: 005AB703

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: 9df0a17fc2dad26f0f55042c2028fd8faa2a3c7f03cb93fd610a62943d5bbcba
Instruction ID: 8a751edcd059dbe5c7b4eda2f929123013d0b91487909692747a1710e735e6b4
Opcode Fuzzy Hash: 9df0a17fc2dad26f0f55042c2028fd8faa2a3c7f03cb93fd610a62943d5bbcba
Instruction Fuzzy Hash: 06A1BD71901609DFEB00DFA8C959BAEBBB5FF85320F244148E911B7392DB755E05CBA0

Function 005A4020 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,?,?,5D2E80A5,*.*,?), ref: 005A4150

Strings

*.*, xrefs: 005A4036
\\?\UNC\, xrefs: 005A4172, 005A4255
\\?\, xrefs: 005A426B, 005A42D6

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2875597873-1700010636
Opcode ID: 81b7175f9101b64f346ddacf9227fc5450c90d44fadf529744ab161246bfb132
Instruction ID: ba69bafdf866658b3b8ec73b0aec66d07286582892a454ce18480f91893bc0c0
Opcode Fuzzy Hash: 81b7175f9101b64f346ddacf9227fc5450c90d44fadf529744ab161246bfb132
Instruction Fuzzy Hash: AA91FF70A00616CBCB14DFA8C849BAEBBB5FF85324F144269E515AB391D7B5AE41CF80

Function 005D3B40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

GetLastError.KERNEL32 ref: 005D3BD2
WaitForSingleObject.KERNEL32(?,0000000A), ref: 005D3C1F

Strings

REST %u, xrefs: 005D3B9F
IFa, xrefs: 005D3BC5

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorHeapLastObjectProcessSingleWait
String ID: IFa$REST %u
API String ID: 1530046183-1137722673
Opcode ID: fe6ddfa8877416b230ea00670432af1e3a41c61da4d933ae484a7365a1a6a97d
Instruction ID: 469bb010b6419f3948899ac6e3877994bc3f286ed0fdfc87c1daf021eeab70c0
Opcode Fuzzy Hash: fe6ddfa8877416b230ea00670432af1e3a41c61da4d933ae484a7365a1a6a97d
Instruction Fuzzy Hash: 4151D2316006059FDB24DF2CCC89B69BFA6BF84321F14425AE812AB3E1DB749E45CB91

Function 0061244C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,00000000,?,?,00612C2C,?,?,?), ref: 0061253A

Strings

,,a, xrefs: 00612521
,,a, xrefs: 0061247A
,,a, xrefs: 006124E5

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileRead
String ID: ,,a$,,a$,,a
API String ID: 2738559852-1172751164
Opcode ID: bd96b6341df71b8b38ac8dff3f39c9ff79a025d3921c421f3aeb76785ffca89e
Instruction ID: ab83b15e1e484081f87d2db4bb1301a08a020d4897a7f77c70adda3c288c52d1
Opcode Fuzzy Hash: bd96b6341df71b8b38ac8dff3f39c9ff79a025d3921c421f3aeb76785ffca89e
Instruction Fuzzy Hash: FF510531A04216EBCB10CF48C8E0BED77B3AF48310F68815AE545AB391D330AE91DB95

Function 005C1A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000), ref: 005C1AB2

Strings

URL, xrefs: 005C1A5A
.url, xrefs: 005C1A60

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CreateFile
String ID: .url$URL
API String ID: 823142352-2674294872
Opcode ID: d9ac86bbb901da55190de7a935f9af8cd7e01c1355fd1f50db1efa89f5f9cbfe
Instruction ID: 1e3ddd9f2c9cdbcfe96ee994b0f09a5652a12d5fd1aacd3520c0520312beabf2
Opcode Fuzzy Hash: d9ac86bbb901da55190de7a935f9af8cd7e01c1355fd1f50db1efa89f5f9cbfe
Instruction Fuzzy Hash: 0F3183B1C00619ABD720EF58DD0AB9EBFB8FB45710F104299ED25B72C1EB705A448FA5

Function 005D1AE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,80070057,80004005), ref: 005D1AEE
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,80070057,80004005), ref: 005D1B19
GetLastError.KERNEL32 ref: 005D1B83

Strings

AdvancedInstaller, xrefs: 005D1B6A

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: bcd5e2c2a34bd173da40710e5d3cc5414c96d3747c022943647a83aa11a9f35e
Instruction ID: 2313d4b689f8d289bf75dd2708c98b6bec8c782f2addaf16b747223f101a262f
Opcode Fuzzy Hash: bcd5e2c2a34bd173da40710e5d3cc5414c96d3747c022943647a83aa11a9f35e
Instruction Fuzzy Hash: 4A219331640704EBEB20EF24DD99F257FA9FB44705F10405BF9029B396EA72A801CB54

Function 005F9327 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(006337E8,00000000,00000800,?,005F92D8,?,?,00000000,?,?,?,005F9402,00000002,FlsGetValue,0062AA18,FlsGetValue), ref: 005F9334
GetLastError.KERNEL32(?,005F92D8,?,?,00000000,?,?,?,005F9402,00000002,FlsGetValue,0062AA18,FlsGetValue,?,?,005F65FB), ref: 005F933E
LoadLibraryExW.KERNEL32(006337E8,00000000,00000000,005ACFDC,006337E8,00000002,5D2E80A5), ref: 005F9366

Strings

api-ms-, xrefs: 005F934B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 6cafa04f2a244c8bd9c7929ef79a7c60743b9f6331b9f1737ecb488bcd6d773e
Instruction ID: 5a86e38e68253f46c4eff663dc59a8d289c5d740cbf0a02837c1427fb932b3f4
Opcode Fuzzy Hash: 6cafa04f2a244c8bd9c7929ef79a7c60743b9f6331b9f1737ecb488bcd6d773e
Instruction Fuzzy Hash: 86E04F70688A0DF7EB311B61ED06F293F5ABB00B45F104461FB0CE80E1D7A6D8658955

Function 00584850 Relevance: 6.5, APIs: 4, Instructions: 462fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,5D2E80A5,?,00000004), ref: 005848C8
MoveFileW.KERNEL32(?,00000000), ref: 00584C9B
DeleteFileW.KERNEL32(?), ref: 00584CE5
FreeLibrary.KERNEL32(?), ref: 00584F7B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteFreeLibraryMoveNameTemp
String ID:
API String ID: 2027907882-0
Opcode ID: 1521517bb3ce4e64a98955cc722e2ba6c96509adedf1a7c98e69d7d29eb417c8
Instruction ID: 19b919c3b0228bae69d834820088ddfb551711dc7d82a503cd4be91088fa3506
Opcode Fuzzy Hash: 1521517bb3ce4e64a98955cc722e2ba6c96509adedf1a7c98e69d7d29eb417c8
Instruction Fuzzy Hash: 5C125C70D1426A9ADB24EF24CC987ADBBB1BF54304F1042D9E849A7291EB756FC4CF81

Function 005E1CB0 Relevance: 6.4, APIs: 4, Instructions: 353stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 005E1E7D
lstrlenW.KERNEL32(?), ref: 005E1E91
CloseHandle.KERNEL32(?), ref: 005E1EE3
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 005E1F11

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: lstrlen$CloseCreateFileHandle
String ID:
API String ID: 2263087898-0
Opcode ID: 613f35b9cecf8ec2f455977c001ce3829e636e3915c3822e758896c0db811268
Instruction ID: 4f8f2c68447111efb13f9b690c7e83a2e98c942002676a86158dcd5f2b9d0eea
Opcode Fuzzy Hash: 613f35b9cecf8ec2f455977c001ce3829e636e3915c3822e758896c0db811268
Instruction Fuzzy Hash: BFF181B0A006488FCB28DF25C884B99BBF9FF88314F14859DE55A973A1D770AE85CF54

Function 00609F16 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(5D2E80A5,00000000,00000000,000000FE), ref: 00609F79

Part of subcall function 0060CA8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,00000000,?,-00000008,-00000008,00000000,?,?,00609D6A,?,00000000), ref: 0060CAEA

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0060A1CF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0060A215
GetLastError.KERNEL32 ref: 0060A2B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 88866fcbe287b176ecf8a9db2bfc09e177940ae4298eec8dc43b315cdceae038
Instruction ID: c126319a169a4e773a563b166e21ff1701fcda49ddfb23e9f3aee263e1871611
Opcode Fuzzy Hash: 88866fcbe287b176ecf8a9db2bfc09e177940ae4298eec8dc43b315cdceae038
Instruction Fuzzy Hash: 08D17D75D04248DFCB19CFE8C880AEEBBB6FF09340F18456AE415EB391E631AA45CB51

Function 005B5970 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 005B59D2
GetShortPathNameW.KERNEL32(?,?,?), ref: 005B5A51
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005B5AA1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 005B5AD7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 4a9d7d6057d12261403f24793f4eed5205d4b6db6b1616b268da933e814a4225
Instruction ID: 0f3c1103514843883467ef856c95a5e4c8b9767d428a93996d469940eb7a7ba1
Opcode Fuzzy Hash: 4a9d7d6057d12261403f24793f4eed5205d4b6db6b1616b268da933e814a4225
Instruction Fuzzy Hash: CC518E71600A06AFDB14DF58DC99BAEFBA9FF44324F104269E915AB390EB71B901CB50

Function 005F833A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005F8401
___AdjustPointer.LIBCMT ref: 005F8424
___AdjustPointer.LIBCMT ref: 005F84C0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6972c02c10b7a488b779aee0ca7de231a7f8a6ee91d765fbadc4252b3fcd7e68
Instruction ID: 7064e842a0c2f554fd4781370942c55c1479ba5fd9fefe09cacf4cc0c0ec3557
Opcode Fuzzy Hash: 6972c02c10b7a488b779aee0ca7de231a7f8a6ee91d765fbadc4252b3fcd7e68
Instruction Fuzzy Hash: 7051D17260061BAFDF298F14D849B7A7FA5FF44718F14492DEA42972A1EB39EC40C790

Function 005C3230 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,00000000,?,?,?,005C1B33,?,00000003), ref: 005C32FD
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,005C1B33,?,00000003), ref: 005C330E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,?,?), ref: 005C332F
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,?,?), ref: 005C3381

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ca87c7a73b7f5a806a68c8acee116a53b5dad8981cb114333a4fda662b69016b
Instruction ID: f43adcd272d5cabb3145db385e8c2750d51d9214de6a864b19232146192c700a
Opcode Fuzzy Hash: ca87c7a73b7f5a806a68c8acee116a53b5dad8981cb114333a4fda662b69016b
Instruction Fuzzy Hash: 4E415A7020434DBFDB202BE89C86F2B7E99FF44B04F20C92DFA46E5191EA66DA04C751

Function 005F08B0 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 005F0A59
GetLastError.KERNEL32 ref: 005F0A63
SetEvent.KERNEL32(?), ref: 005F0A7A
GetLastError.KERNEL32 ref: 005F0A84

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast
String ID:
API String ID: 3848097054-0
Opcode ID: 5d1a3aa5dc66e555dd7006a83cf5f525bac9a30e8c77a6a2fe8bc28782b84c59
Instruction ID: 67f1e5d3e326e12fe7065fa07dc1219c1a6f2ffe6541704357b28873f4a7a78e
Opcode Fuzzy Hash: 5d1a3aa5dc66e555dd7006a83cf5f525bac9a30e8c77a6a2fe8bc28782b84c59
Instruction Fuzzy Hash: 706118B1601315CFEB24DF18C89876A3BE5BF44314F0952A9DD489F28BD7B9D849CB90

Function 005D1C80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005D1CE0

Strings

Ea, xrefs: 005D1CD1, 005D1D32
GET, xrefs: 005D1EA4
C*], xrefs: 005D1C9F, 005D1E0B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast
String ID: C*]$GET$Ea
API String ID: 1452528299-220731963
Opcode ID: cc29106ed0b18711c1c78c4daff4e096e94710b3904754423343cc8e110d715c
Instruction ID: e26cfd36dab47497e57cfc5680fac529eb9b3255c461e1c92fb2e32a93f0fb4f
Opcode Fuzzy Hash: cc29106ed0b18711c1c78c4daff4e096e94710b3904754423343cc8e110d715c
Instruction Fuzzy Hash: 7C41A771D0061AABDB10EFA8CC49BAEBFB9FF44710F10051AE911E7391DB789900CBA1

Function 005CEF90 Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,5D2E80A5,?,?,?), ref: 005CEFDA
GetFileSize.KERNEL32(00000000,00000000), ref: 005CF00B
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 005CF096
CloseHandle.KERNEL32(00000000), ref: 005CF162

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 164c7a8c8b2381430ecc522b549adcfba60a3bf3dcc2e69877afaa65cb4daa75
Instruction ID: 7e8b5218743a21149409628c8c359434fd1cf2477cd25bb937331ad9fc42965f
Opcode Fuzzy Hash: 164c7a8c8b2381430ecc522b549adcfba60a3bf3dcc2e69877afaa65cb4daa75
Instruction Fuzzy Hash: 3351CD71900219DEEB208FA5CC85BEEBFB5FF51710F2481ADE549A7282DB741A89CF50

Function 005A1600 Relevance: 6.1, APIs: 4, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?,5D2E80A5,00000000,006349E0,?,?,?,?,?,?,?,0061A86D), ref: 005A167A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0061A86D,000000FF), ref: 005A1692
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0061A86D,000000FF), ref: 005A171F
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0061A86D,000000FF), ref: 005A174E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Close$Open
String ID:
API String ID: 2976201327-0
Opcode ID: 1f77758760bfbf184e1ef882cdfc5a61a848c48a876224c393d666760cf0991a
Instruction ID: 30d5967e98cea552945cbff09ec9a1d78e13f3dd9398347e4b2b7334e2d51e39
Opcode Fuzzy Hash: 1f77758760bfbf184e1ef882cdfc5a61a848c48a876224c393d666760cf0991a
Instruction Fuzzy Hash: 6F4115B1901619ABEB20CFA5CD88BEFBFF9FF09350F104119E915A7280D7749A04CBA4

Function 005CDDA0 Relevance: 6.1, APIs: 4, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?), ref: 005CDDE2

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

SetWindowTextW.USER32(?,00000010), ref: 005CDE2A
IsWindow.USER32(00000406), ref: 005CDEB6
EndDialog.USER32(00000406,00000001), ref: 005CDEE6

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$DialogHeapMessageProcessSendText
String ID:
API String ID: 3967821603-0
Opcode ID: f77b355c1d1e79cab08b3fe29d1816982085017774dd70ef553cbe78e3f0dff9
Instruction ID: 40f0f410dbedca4036d144c30defbc00f81351ca2f7ac537d7976b387b19743f
Opcode Fuzzy Hash: f77b355c1d1e79cab08b3fe29d1816982085017774dd70ef553cbe78e3f0dff9
Instruction Fuzzy Hash: AB418831600611EFCB10DF68DC48B5ABBB9FF48720F04426AED14EB2A0DB70AD01DBA0

Function 005E19C0 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9F10: SetFilePointer.KERNEL32(?,00000000,?,00000001,5D2E80A5,?,?,?,00615130,000000FF), ref: 005D9F45
Part of subcall function 005D9F10: GetLastError.KERNEL32(?,00000000,?,00000001,5D2E80A5,?,?,?,00615130,000000FF), ref: 005D9F52

GetLastError.KERNEL32 ref: 005E1A67

Part of subcall function 005D9FB0: SetFilePointer.KERNEL32(?,?,?,?,5D2E80A5,?,?,?,?,?,Function_00095600,000000FF), ref: 005D9FEA
Part of subcall function 005D9FB0: GetLastError.KERNEL32(?,?,?,?,5D2E80A5,?,?,?,?,?,Function_00095600,000000FF), ref: 005D9FF7
Part of subcall function 005D9FB0: SetLastError.KERNEL32(00000000,?,?,?,?,5D2E80A5,?,?,?,?,?,Function_00095600,000000FF), ref: 005DA00E

SetEndOfFile.KERNEL32(?), ref: 005E1A16
GetLastError.KERNEL32 ref: 005E1A29
SetLastError.KERNEL32(00000000), ref: 005E1A4E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$File$Pointer
String ID:
API String ID: 4162258135-0
Opcode ID: 4623bdf47be3f324e5f4ee245b0b1a864ccb5d83cce0f2d46141cfb79119b5d1
Instruction ID: df410f8edb7e8afadab921d2832bdac87006f43997e0df9bcd12062a76b4be78
Opcode Fuzzy Hash: 4623bdf47be3f324e5f4ee245b0b1a864ccb5d83cce0f2d46141cfb79119b5d1
Instruction Fuzzy Hash: 412122327066469B8720DF6AAC04ABBBB99FF91355F04413BFC80C6210E730CD59C6E5

Function 005F0C20 Relevance: 6.1, APIs: 4, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005F0C4F
GetLastError.KERNEL32 ref: 005F0C5A
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 005F0CC4
GetLastError.KERNEL32 ref: 005F0CCE

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 1636903514-0
Opcode ID: af33a5ddb82b52294fb69ce14a9860733d070e9a594e3c6022186eee32a23764
Instruction ID: 11635e7bbf726a5ca979ae46d0400d666e6dca4f7d80f5e1c3cf7e64c461730f
Opcode Fuzzy Hash: af33a5ddb82b52294fb69ce14a9860733d070e9a594e3c6022186eee32a23764
Instruction Fuzzy Hash: 7F21F3322047058BD7308B29D844B67FBE6BF90324F289B1EE3A6865E2D775DC45C750

Function 005F326E Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005F3275
std::_Lockit::_Lockit.LIBCPMT ref: 005F327F

Part of subcall function 00589520: std::_Lockit::_Lockit.LIBCPMT ref: 00589550
Part of subcall function 00589520: std::_Lockit::~_Lockit.LIBCPMT ref: 00589578

std::_Facet_Register.LIBCPMT ref: 005F32D0
std::_Lockit::~_Lockit.LIBCPMT ref: 005F32F0

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 088e81db22046b8c18564a4ba14c43d33a8c45693bf5f883581462f4e7cc9b12
Instruction ID: 8ffdc0e96ff38ce6b73f8353ba3baffd928a092caf6ea46dff3cf1d9f90a0964
Opcode Fuzzy Hash: 088e81db22046b8c18564a4ba14c43d33a8c45693bf5f883581462f4e7cc9b12
Instruction Fuzzy Hash: 7A21A139A0061A8FDB05EF58D855A7E7FA6BFC5310F155019EA01AB361CF74DE05CB90

Function 005CCC30 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,5D2E80A5,?,?,?,00615130,000000FF), ref: 005CCC67
GetExitCodeThread.KERNEL32(?,?,?,?,?,00615130,000000FF), ref: 005CCC81
TerminateThread.KERNEL32(?,00000000,?,?,?,00615130,000000FF), ref: 005CCC99
CloseHandle.KERNEL32(?,?,?,?,00615130,000000FF), ref: 005CCCA2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 0682f8a1fe0351c80883ad9c2b4e5651f372590803508e4496daa9e5752d0658
Instruction ID: 6a825b34e55db2d2c50adac55ddf5d4874fa8c614863db2a186c7581ef49c0d2
Opcode Fuzzy Hash: 0682f8a1fe0351c80883ad9c2b4e5651f372590803508e4496daa9e5752d0658
Instruction Fuzzy Hash: F411AC71504A09EFD7208F54CC09FAABFE9FB04B10F00462EF82A926A0D7B1A944CB90

Function 005CCFA0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 005CCFBD
DestroyWindow.USER32(?), ref: 005CCFCA
IsWindow.USER32(?), ref: 005CD024
SendMessageW.USER32(?,00000407,00000000,?), ref: 005CD03D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Window$DestroyMessageSend
String ID:
API String ID: 746073012-0
Opcode ID: 26a69c9cf050ed9d1362dab52e33a557505aa0540a77fb7f616862d934f5f687
Instruction ID: fa0c6757b1a2e0f2ce06256b7ac83871abd319fa14fbe2ea58eee7045d9406a7
Opcode Fuzzy Hash: 26a69c9cf050ed9d1362dab52e33a557505aa0540a77fb7f616862d934f5f687
Instruction Fuzzy Hash: EA110F30509301AFD360DF69C888B5ABBE1FF89710F50592EF89AD2260E375E985DB52

Function 005F2684 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005F268B
std::_Lockit::_Lockit.LIBCPMT ref: 005F2696
std::_Lockit::~_Lockit.LIBCPMT ref: 005F2704

Part of subcall function 005F27E7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 005F27FF

std::locale::_Setgloballocale.LIBCPMT ref: 005F26B1

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 8ad76eee28d645468a837381b2e4a6fb74e7ef7428b08cfaa8251523fb443b14
Instruction ID: c67086a5323bf05aa5fc5c5c6ec1ade9db149accd52c5beb136b399810430656
Opcode Fuzzy Hash: 8ad76eee28d645468a837381b2e4a6fb74e7ef7428b08cfaa8251523fb443b14
Instruction Fuzzy Hash: 4E019EB5A006298BC705FF20D859A7C3FA6FFC1350F140008EA015B381DB386A42CB92

Function 005CCCE0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,5D2E80A5,?,?,?,00615130,000000FF), ref: 005CCD17
GetExitCodeThread.KERNEL32(?,?,?,?,?,00615130,000000FF), ref: 005CCD31
TerminateThread.KERNEL32(?,00000000,?,?,?,00615130,000000FF), ref: 005CCD49
CloseHandle.KERNEL32(?,?,?,?,00615130,000000FF), ref: 005CCD52

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: b4d4552521de62ae8b0605ef084d745ef30cb286f2799567436ef1a0ed9ff167
Instruction ID: 4b0b0b3c20cc2c8b90d348390098d901d6d00e87a6d3a2d64ab23ef0612397f7
Opcode Fuzzy Hash: b4d4552521de62ae8b0605ef084d745ef30cb286f2799567436ef1a0ed9ff167
Instruction Fuzzy Hash: 7D014C71508A45EFDB318F54DC09FA6BFF9FB04B20F104A6DF86A926A0D771A944CA50

Function 005F0D30 Relevance: 6.0, APIs: 4, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 005F0D62
GetLastError.KERNEL32 ref: 005F0D6C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005F0D77
GetLastError.KERNEL32 ref: 005F0D82

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: b2126b3e4d505ae29bcf439f7a1f09b1326489547537e65f6eb00c1c635033ff
Instruction ID: 410ba2ded28417d2008bc567de4e025d6c015a92a047ff33e48e3db5dcd71312
Opcode Fuzzy Hash: b2126b3e4d505ae29bcf439f7a1f09b1326489547537e65f6eb00c1c635033ff
Instruction Fuzzy Hash: 0F01B5321047059FD7308FA9D884B27BFE6BF90320F189A1DE1A6C71D1C374B8449B60

Function 005C4420 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 005C4432
SetWindowTextW.USER32(00000000,00000009), ref: 005C443D
GetDlgItem.USER32(00000000,0000040B), ref: 005C444E
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 005C445F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Item$MessageSendTextWindow
String ID:
API String ID: 2101643998-0
Opcode ID: 8d1fe8bf58a90baef206abf293b7e722e7559724461fc695876a3c998f728b2d
Instruction ID: 72113def72dfec436c0da34a2f68a3b474cfeffa5cce025ee65c1f7002699f31
Opcode Fuzzy Hash: 8d1fe8bf58a90baef206abf293b7e722e7559724461fc695876a3c998f728b2d
Instruction Fuzzy Hash: 21016D72204A02BBCB159F90EC09E5ABB7AFF48B01B008118F605D2560C730A862DF90

Function 005CCD70 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0004CE80,?,00000000,?), ref: 005CCD95
GetLastError.KERNEL32(?,00000000,?), ref: 005CCDA2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005CCDB9
GetExitCodeThread.KERNEL32(?,?), ref: 005CCDC7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 43fb8e38fb2717956261b7556274b60c7bd7d03f660733481fa50101829c9c76
Instruction ID: 2b9f5c7e5c349b62d1ea683e478a7b9f62970d2879805fb4eeba9b61c78623ee
Opcode Fuzzy Hash: 43fb8e38fb2717956261b7556274b60c7bd7d03f660733481fa50101829c9c76
Instruction Fuzzy Hash: 97F06275508701AFD720DB68EC49F87BFE4BF54711F00452AF889C2290E6309518C6A2

Function 006133E7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,006122E5,00000000,00000001,00000000,000000FE,?,0060A30C,000000FE,00000000,00000000), ref: 006133FE
GetLastError.KERNEL32(?,006122E5,00000000,00000001,00000000,000000FE,?,0060A30C,000000FE,00000000,00000000,000000FE,000000FE,?,0060A8AF,?), ref: 0061340A

Part of subcall function 006133D0: CloseHandle.KERNEL32(FFFFFFFE,0061341A,?,006122E5,00000000,00000001,00000000,000000FE,?,0060A30C,000000FE,00000000,00000000,000000FE,000000FE), ref: 006133E0

___initconout.LIBCMT ref: 0061341A

Part of subcall function 00613387: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006133B6,006122D2,000000FE,?,0060A30C,000000FE,00000000,00000000,000000FE), ref: 0061339A

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,006122E5,00000000,00000001,00000000,000000FE,?,0060A30C,000000FE,00000000,00000000,000000FE), ref: 0061342F

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a8747cf308f3f44604878fb0f142ea3d564e0d8baeef7987b72c83a49521bf4e
Instruction ID: bf327455c080e465c1c772618102cbd181d8af402ef6b47c0eebfd3c6821118f
Opcode Fuzzy Hash: a8747cf308f3f44604878fb0f142ea3d564e0d8baeef7987b72c83a49521bf4e
Instruction Fuzzy Hash: 78F01C3A100578BBCF225FD1DC09DDA7F67FF093B0F085454FA5A96220CA328960AB94

Function 005F0B10 Relevance: 6.0, APIs: 4, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005F0B25
GetLastError.KERNEL32 ref: 005F0B30
SetEvent.KERNEL32(?), ref: 005F0B4F
GetLastError.KERNEL32 ref: 005F0B59

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: 4462c313a9107a24e3493f8992d6f9d68d7b641743b5400933fa64453ae60222
Instruction ID: 4f86f4ad4a4d7fb0ac3f719c331bddc140c1c699046fb68fed0b7063c1fcb0d0
Opcode Fuzzy Hash: 4462c313a9107a24e3493f8992d6f9d68d7b641743b5400933fa64453ae60222
Instruction Fuzzy Hash: FCF058315089048FC7216B24EC08E2E7FA2BF95334F286A18E262831F1CB3498429B50

Function 0060DD00 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

0d, xrefs: 0060DD2C
0d, xrefs: 0060DFD2

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID:
String ID: 0d$0d
API String ID: 0-1181051537
Opcode ID: 58d939fb9cba42649d84a5cea112a252950ad0bd3415f7547a0043f8a08c8031
Instruction ID: cf7595e0cf5d5fd5abcb50ece5dca55397cad122be3b272d9995c21a9c5d7975
Opcode Fuzzy Hash: 58d939fb9cba42649d84a5cea112a252950ad0bd3415f7547a0043f8a08c8031
Instruction Fuzzy Hash: D9B149B2A80205AADB65DFA4CC82FEB77FDAF04700F154659FA15EB1C2E770E9048B54

Function 005CB6A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 286fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

DeleteFileW.KERNEL32(?), ref: 005CB795
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 005CB91D

Part of subcall function 005A8BF0: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,5D2E80A5,00000000,?), ref: 005A8C34
Part of subcall function 005A8BF0: ReadFile.KERNEL32(00000000,?,000003FF,00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,5D2E80A5,00000000), ref: 005A8C77

Part of subcall function 005A9B20: LoadStringW.USER32(?,?,00000514,5D2E80A5), ref: 005A9B78

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 005CB738

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$Delete$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 856989409-3685554107
Opcode ID: 30bd514c0564e1bd5fc14fe87b7244d1b76ff6fb8fe5eca461bd87022d8e4027
Instruction ID: 624500feaf2c1391cac8d1398acdeba5d37c7aa44d69c0fce096abf4215d78a1
Opcode Fuzzy Hash: 30bd514c0564e1bd5fc14fe87b7244d1b76ff6fb8fe5eca461bd87022d8e4027
Instruction Fuzzy Hash: 60B1C131A006059FDB01DFA8C899AADBBB5FF48320F18416DE915EB391DB35AD05CBA1

Function 005C5180 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32(5D2E80A5,00000000,?,?,?,5D2E80A5), ref: 005C51B7

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

Part of subcall function 005D4DC0: GetLocaleInfoW.KERNEL32(00000000,00000002,006337C0,00000000), ref: 005D4E41
Part of subcall function 005D4DC0: GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 005D4E7D

Strings

he, xrefs: 005C524C
SystemDefault LangID=, xrefs: 005C5205

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$DefaultHeapLangProcessSystem
String ID: SystemDefault LangID=$he
API String ID: 2240978303-1890005533
Opcode ID: f894fa519c2d7b351a18ad0df783a02f9e719f3dc16a536a6f202c6cbeb9d702
Instruction ID: 109f02cd4b5633e6ad445978b00312a956ef2a4d2b958d49b98848add6b923d1
Opcode Fuzzy Hash: f894fa519c2d7b351a18ad0df783a02f9e719f3dc16a536a6f202c6cbeb9d702
Instruction Fuzzy Hash: 2D71D331A00A568FCB10DFA8C858B6DBBB5FF44320B15465DE921A73D1DB74AD02CB90

Function 005ABB00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,5D2E80A5,?,80000002,80000002), ref: 005ABB53
LeaveCriticalSection.KERNEL32(?,5D2E80A5,80000002,00000000,00614F60,000000FF,?,80004005,?,80000002,80000002), ref: 005ABCCF

Strings

LOG, xrefs: 005ABBC7

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalFileLeaveModuleNameSection
String ID: LOG
API String ID: 1232429956-429402703
Opcode ID: f68373205078f1e6575dc96c190b888afcc153c941400b6241c65b6d77d480e7
Instruction ID: 5848446f64ec836d4c44ff99da37a8be23e2958c3bc938ef17974f0b5fb8b0a4
Opcode Fuzzy Hash: f68373205078f1e6575dc96c190b888afcc153c941400b6241c65b6d77d480e7
Instruction Fuzzy Hash: EA514431A002499FEB14DF28CC55BAEBBB5FF45310F548569E80ADB382EB759E048BD0

Function 005869B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,5D2E80A5), ref: 00586A52

Strings

\\?\UNC\, xrefs: 00586A77, 00586AD8
\\?\, xrefs: 00586B4B, 00586B76

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: b2678ce0638df0e8935bdd011778036480daf0ad9c787a2c08dfe72722f84f42
Instruction ID: 76a21955952be147b47257526ba8dc26e1192edc3989382144543c88bf1d7d87
Opcode Fuzzy Hash: b2678ce0638df0e8935bdd011778036480daf0ad9c787a2c08dfe72722f84f42
Instruction Fuzzy Hash: 8E5181B0D00205DBDB14EF68C84ABAEBBF5FF85308F10861DE851B7681DB75A948CB91

Function 005AB940 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,5D2E80A5,?,80000002,00650A68), ref: 005AB97F
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00650A68), ref: 005AB9E0

Strings

ADVINST_LOGS, xrefs: 005AB9B8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: ac35a54307cc422536cc1c068975986e998e3d8e77e378b53c94e13def009a87
Instruction ID: 981c5154703b4ff642857cf9216b5baca67dfef5410a80d9c018bf1867c31c97
Opcode Fuzzy Hash: ac35a54307cc422536cc1c068975986e998e3d8e77e378b53c94e13def009a87
Instruction Fuzzy Hash: AA51D175900219CBDB309F28C8447BEBBB4FF15314F2446AEE85697292EB348E81CBD0

Function 005A2920 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,5D2E80A5,00000000,00000000), ref: 005A29C8

Strings

8Fc, xrefs: 005A2962

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: 8Fc
API String ID: 32694325-2812392795
Opcode ID: cdac6cc22bbde8cdae6a465b1df293f0a1658eddb76166caf8262a998c432c98
Instruction ID: 4850e42f33aacdb58130ea670373e40725d84d3a9c66d12173d9c2148fde45ee
Opcode Fuzzy Hash: cdac6cc22bbde8cdae6a465b1df293f0a1658eddb76166caf8262a998c432c98
Instruction Fuzzy Hash: 6E51C035A003198BDB24CF14CC55BAEBBB4FF8A710F0486D9D80A67690EB755E84CF91

Function 005AB110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005839B0: GetProcessHeap.KERNEL32 ref: 00583A05

WriteFile.KERNEL32(?,00000005,?,?,00000000,006337E8,00000002,?,00000000,CPU: ,00000005), ref: 005AB201
FlushFileBuffers.KERNEL32(?), ref: 005AB20A

Part of subcall function 00585350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0059E648,-00000010), ref: 00585373

Strings

CPU: , xrefs: 005AB168, 005AB17A, 005AB184

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: 4e1a5f6c318beb7d49e2f1f26d7df4d796198fc028f49cbc722af37b6f65ce07
Instruction ID: de3cb244127e45f23d18e14e427e5241cf47d4ff59983c97994abc4bca49681a
Opcode Fuzzy Hash: 4e1a5f6c318beb7d49e2f1f26d7df4d796198fc028f49cbc722af37b6f65ce07
Instruction Fuzzy Hash: A341CE31A00A09AFDB00EFA8CC59BAEBBB5FF45720F144619E811A7391DB75AD01CBD0

Function 005F8936 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 005F895B

Strings

RCC, xrefs: 005F8975
MOC, xrefs: 005F896D

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 76cc4caa4605dc0649f677357d6f2135c854411f28a0a2a8741d40fc208a18a1
Instruction ID: 7d45984fbca2fa60a909c74d80a068ed7d74ee706da627e4563f7a8eb672d68e
Opcode Fuzzy Hash: 76cc4caa4605dc0649f677357d6f2135c854411f28a0a2a8741d40fc208a18a1
Instruction Fuzzy Hash: 1541157190020EAFCF16DF94CD85ABEBFB5FF48310F14409AFA08A6265D639AA50DB51

Function 005892D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005892FB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0058935E

Strings

bad locale name, xrefs: 00589381

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 906809070c2089260baf6f2ad410e6cd8b4eaafd04de25a4e9208228202b2281
Instruction ID: 95e6a35350ba7c37e3be0376daae69aa155c109b804069cb50323c1c0cfb462d
Opcode Fuzzy Hash: 906809070c2089260baf6f2ad410e6cd8b4eaafd04de25a4e9208228202b2281
Instruction Fuzzy Hash: 3A21F0B0805784DED321CF68C80479BBFF4EF15714F148A8DD49597B81D3B9A608CBA1

Function 00581070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00650A3C,00000000,00000000,5D2E80A5,?,0061A3A3,000000FF), ref: 005810A5
GetLastError.KERNEL32(?,0061A3A3,000000FF), ref: 005810AF

Strings

,e, xrefs: 0058109B

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: ,e
API String ID: 3413597225-153164747
Opcode ID: 33075b71da2713e41b550171e667dc6d2a9cdb5ec1e7458b8ee623a46c7f4cd6
Instruction ID: 6f51806c4bea2fc1c5f3333c88c13612a687e66cd5174cd4748f93ba52526688
Opcode Fuzzy Hash: 33075b71da2713e41b550171e667dc6d2a9cdb5ec1e7458b8ee623a46c7f4cd6
Instruction Fuzzy Hash: B211CBB0A04B85DBFB10CF21ED09B5A7FEAF700715F005258E8109B7A1D7BA9008CF44

Function 005F1BAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005A0600: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,5D2E80A5,?,Function_00095110,000000FF), ref: 005A0627
Part of subcall function 005A0600: GetLastError.KERNEL32(?,00000000,00000000,5D2E80A5,?,Function_00095110,000000FF), ref: 005A0631

IsDebuggerPresent.KERNEL32(?,?,?,0058160A), ref: 005F1BDE
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0058160A), ref: 005F1BED

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005F1BE8

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 8c1b2d382a83511a96a1000949bcab7344b260167f05315a197933ed8e730e01
Instruction ID: 58fcef211eceeb5a61cec2088ccda009b43afc19cbffc0c32fd6d587d0b168fa
Opcode Fuzzy Hash: 8c1b2d382a83511a96a1000949bcab7344b260167f05315a197933ed8e730e01
Instruction Fuzzy Hash: B4E06D70201B12CFD3309F68E5087967EE5BF81304F00995DE846C6251EBB5D544CBA1

Function 005ED070 Relevance: 5.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 005ED0DD
GetLastError.KERNEL32 ref: 005ED0E7
CloseHandle.KERNEL32(00000000), ref: 005ED10E
GetLastError.KERNEL32 ref: 005ED118

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ab72d5c172bfcb99e8517d1894abd8bffa2571d9eb0520410d8c2910594c7ef5
Instruction ID: f86398d0bb25f490ff644f9bb84027b5607eca85884ecc5e5f10885c937cf0d2
Opcode Fuzzy Hash: ab72d5c172bfcb99e8517d1894abd8bffa2571d9eb0520410d8c2910594c7ef5
Instruction Fuzzy Hash: 3431CAB1904649DFDB28DF69D948B5ABFB8FF04750F204259E850AB280E775AA05CBA0

Function 005E4690 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000001,5D2E80A5), ref: 005E46E9
GetLastError.KERNEL32 ref: 005E46F3
CloseHandle.KERNEL32(00000001,5D2E80A5), ref: 005E4714
GetLastError.KERNEL32 ref: 005E471E

Memory Dump Source

Source File: 00000004.00000002.2189925890.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000004.00000002.2189908305.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190195725.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190237727.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000656000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2190332753.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_580000_aipackagechainer.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 161b74e72d8234a8ed5343d9bdc971c4e78dcb07371f5dffc78a660c7adb159f
Instruction ID: 878e2651e8d77cb931f0ca8784ba592a61ad81d31091112fe3651b37ff6f4ae1
Opcode Fuzzy Hash: 161b74e72d8234a8ed5343d9bdc971c4e78dcb07371f5dffc78a660c7adb159f
Instruction Fuzzy Hash: 1A21DEB1A05684DBCB20CF69D948F6BBFF8FF02B50F144599E884A7280D771A9058BA0

Analysis Process: powershell.exePID: 6040, Parent PID: 4052COMMON

Executed Functions

Function 07A10381 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

@}Fl, xrefs: 07A103B7

Memory Dump Source

Source File: 00000008.00000002.2310969265.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7a10000_powershell.jbxd

Similarity

API ID:
String ID: @}Fl
API String ID: 0-73316818
Opcode ID: e172c38b60df96498942fcc64f7faacc1529e12bda7022556b86ccdfead3d9d4
Instruction ID: a6812a5d39e7eb2457f06a8f15085d789db2db55bdb914971b9efd1ff134ddf3
Opcode Fuzzy Hash: e172c38b60df96498942fcc64f7faacc1529e12bda7022556b86ccdfead3d9d4
Instruction Fuzzy Hash: 27E0E51425E3D01FD31793B89825AAA7FB15F8359070A58EBE584CF9ABC94C5C4983A3

Function 04A629F0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2252743812.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265c80ba19c21fad8d6100e6f1f5268562c22108fb961ea3a2c53ba80bd83802
Instruction ID: 0ccf014461c5592cbcaf5cc6e2eac2ccd7492b76a14a71b21780ba614a0e69c4
Opcode Fuzzy Hash: 265c80ba19c21fad8d6100e6f1f5268562c22108fb961ea3a2c53ba80bd83802
Instruction Fuzzy Hash: 43915875A00205CFCB15DF59C494AAEFBB1FF88310B2486A9D916AB365C735FC51CBA0

Function 04A6B028 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2252743812.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cf173a85beb423df45659c9ac6e0fcb80d40509b1cb1965c9a47e8024ab8bf
Instruction ID: 9b69cf551d5e598c6605ca93151d4ae3f2f8b08c2c6c30768decb248ef4fd0a0
Opcode Fuzzy Hash: 80cf173a85beb423df45659c9ac6e0fcb80d40509b1cb1965c9a47e8024ab8bf
Instruction Fuzzy Hash: 88512730B00224CFEB159B78C855B6D77B6BF89248F2441A8D10ADB3A0EF35AD85CF60

Function 04A6AF13 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2252743812.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb2b4467a791d317d6961127449424fbbe9dcde6b5151aa4f671980ce45c9f
Instruction ID: 992a74db343e2b56666279221121a9a332de459793bd04490ebcea802895c88d
Opcode Fuzzy Hash: 65fb2b4467a791d317d6961127449424fbbe9dcde6b5151aa4f671980ce45c9f
Instruction Fuzzy Hash: B231FE74A0121ACFEB29DF68CD90F9DB7B1BF84204F1042E9D108AB391DA749E85CF90

Function 0324D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2250429184.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a48fd640470baa7fd14bab1707bcf7e81ddb1f7d1c50999a624a97006ad15
Instruction ID: 1f28ec283016cb196d170028dff217cb5d425bb2817d4963d36415dddb5caee1
Opcode Fuzzy Hash: f28a48fd640470baa7fd14bab1707bcf7e81ddb1f7d1c50999a624a97006ad15
Instruction Fuzzy Hash: 0201527244D3C09FE7168B258D94752BFA8DF43224F1D85DBE9848F1A3C2695C45C772

Function 0324D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2250429184.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1456193f6e6059ced5fe356d4ee25215586713f0ff3786269deeceb9cd12fd0
Instruction ID: ca95edd2b82ac55746ee36b2d038ff5abdfd74b2bd36225d34c9989258c9624c
Opcode Fuzzy Hash: e1456193f6e6059ced5fe356d4ee25215586713f0ff3786269deeceb9cd12fd0
Instruction Fuzzy Hash: 3501F272418340EAE718CA25CD80B66FF98DF41764F0CD15AED080B243C6B89881C6B1

Analysis Process: powershell.exePID: 6640, Parent PID: 6040COMMON

Executed Functions

Function 030A2225 Relevance: 1.9, Strings: 1, Instructions: 615COMMON

Download Yara Rule

Strings

^6k, xrefs: 030A25D0

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID: ^6k
API String ID: 0-3391091469
Opcode ID: 671b3e96c1288f62e8760d780d16efbaf25625bd0b2a817baee58b4a024edb39
Instruction ID: 3fca2285ccab1be0e6d57b7caa39ad8b3bcbaecc332a3f7f32f3851e384af4e4
Opcode Fuzzy Hash: 671b3e96c1288f62e8760d780d16efbaf25625bd0b2a817baee58b4a024edb39
Instruction Fuzzy Hash: 41C1807190A3A09FD707EB38D8616997FF5AF47214B1A00DBC081CF1A3EA348D49CB65

Function 030A32C0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

W, xrefs: 030A33DC

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 38dc9e8609a1122960e1426a10be74e31b0ee9a2f51d18db57f2b6e4bc70bd7c
Instruction ID: f586d26b7b8a7225607b193091cbc84c60b1cf1b6b5e2e0c8ae3fc0dd2fbdc78
Opcode Fuzzy Hash: 38dc9e8609a1122960e1426a10be74e31b0ee9a2f51d18db57f2b6e4bc70bd7c
Instruction Fuzzy Hash: E3A19C74A05605CFCB06CFADC494AAEFBB1FF49310B2886A9C515AB3A5C735EC51CB90

Function 030A7600 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a0bb30a758551303729308a446b4ef9756c37c9928dee069f68fa033686d4e
Instruction ID: 0da462b11ba9cdd7090a1e6e8a0b94c8c2613b04dd4115ed25c4ae31ebb9b3be
Opcode Fuzzy Hash: f6a0bb30a758551303729308a446b4ef9756c37c9928dee069f68fa033686d4e
Instruction Fuzzy Hash: 69A19234A05644DFCB05CFA8D884AAEBBF6FF89710F1884A9E405AB361C735ED46CB50

Function 030A19D0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1958fa4a751920580313cf3e4399bbd9a203c7465e4245db887c7b9c405710f0
Instruction ID: fa132d29d9a27581421901eb287c5516dcc549ceddbed71270066fd132743a94
Opcode Fuzzy Hash: 1958fa4a751920580313cf3e4399bbd9a203c7465e4245db887c7b9c405710f0
Instruction Fuzzy Hash: 3831BC74E097559FCB01DFACD8908AABFB0FF4A300B05819AD446DB362D630ED46CBA5

Function 030A81F3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9663ac30b1d7e1d7cfbec5011c673e2c38a2521859b45053c9bfdcc90b619deb
Instruction ID: ab4e3d709e53931330588c5692156bcc701f27247b066c211f28d04f7b5a3641
Opcode Fuzzy Hash: 9663ac30b1d7e1d7cfbec5011c673e2c38a2521859b45053c9bfdcc90b619deb
Instruction Fuzzy Hash: 1D31FC70A0111ACFEB69DF69DD50F9DBBB2BF84204F1045E9D108AB391DA349E85CF90

Function 030A7858 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c408c3bc3d6c7f4d58efa7f5abe271478623b398baeb956319bc905bbbfb8d
Instruction ID: b1bc5f8e8c66a347f2747fd30c3a9d0e1f361b3455655d448912cb59934f0e84
Opcode Fuzzy Hash: 08c408c3bc3d6c7f4d58efa7f5abe271478623b398baeb956319bc905bbbfb8d
Instruction Fuzzy Hash: 7D11B274E016099FCB00DF9CD9809AEBBB5FF88310B1585A9E909AB351C731ED41CBA0

Function 02F9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2242674755.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2f9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b264836da7d05c4a955217a278a1efa8c195ae72bb239bbb2f0ccde7231ffb7
Instruction ID: d91ad4c470f5e84eddec890d24468b0ff960c8a7e8bfa9a30f8ee2ba27ad5dba
Opcode Fuzzy Hash: 8b264836da7d05c4a955217a278a1efa8c195ae72bb239bbb2f0ccde7231ffb7
Instruction Fuzzy Hash: DD012B72904344DAFB105E25CD84B67FFD8DF41BA4F28C11ADF084B16AC7B99441C6B1

Function 02F9D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2242674755.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2f9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0bfefd94a6336a446b2e6e840d8a918c7227caab8e512a6e959dcfca509a4f
Instruction ID: 9f599f6f089be2569ef0313a78da0b87fb1ca4f4e345838ba7138fc40fc92ba5
Opcode Fuzzy Hash: 2a0bfefd94a6336a446b2e6e840d8a918c7227caab8e512a6e959dcfca509a4f
Instruction Fuzzy Hash: FF014C7240E3C09FE7128B258894B52BFB4DF43624F1980DBD9888F1A7C2699849C772

Non-executed Functions

Function 030A26D5 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

q, xrefs: 030A274A
q, xrefs: 030A273A
q, xrefs: 030A272A
q, xrefs: 030A275A

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID: q$q$q$q
API String ID: 0-594874556
Opcode ID: 0007fd3a86259f83689803dc5d61879ebae4520c35fce6bb2e15819403bc1841
Instruction ID: cea0e0b569824a237e8916ef06f13a47e449e90d84bfdc8bc2079f2efcbe2de8
Opcode Fuzzy Hash: 0007fd3a86259f83689803dc5d61879ebae4520c35fce6bb2e15819403bc1841
Instruction Fuzzy Hash: 27115E6190E7D2AFD307A73898651D87FB4AF23254B4900D7C894CB1E3E658982EC3A6

Function 030A2725 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

q, xrefs: 030A274A
q, xrefs: 030A273A
q, xrefs: 030A272A
q, xrefs: 030A275A

Memory Dump Source

Source File: 0000000B.00000002.2244269968.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30a0000_powershell.jbxd

Similarity

API ID:
String ID: q$q$q$q
API String ID: 0-594874556
Opcode ID: 5b9a71ebfa174d21f11951c4192840a29a1c7444e929543396d2aa9c68caefef
Instruction ID: 88de82b9305803ee7fc1c99e9f364033aa6b29e41f3148b147f3f47a5a79b191
Opcode Fuzzy Hash: 5b9a71ebfa174d21f11951c4192840a29a1c7444e929543396d2aa9c68caefef
Instruction Fuzzy Hash: D8F08961E0D6C2BFE316477894252D87BA0AF37310F4801DBCC64CB5D2F55C5425C296

Analysis Process: file.exePID: 5988, Parent PID: 2864COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	11.3%
Signature Coverage:	0.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00E7C0AD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00E7C0C8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C0E6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C104
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00E7C122
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00E7C16B
RegQueryValueExA.ADVAPI32(?,00E7C32D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001), ref: 00E7C189
RegCloseKey.ADVAPI32(?,00E7C1B8,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C1AB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00E7C1C8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00E7C1D5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00E7C1DB
lstrlen.KERNEL32(00000000), ref: 00E7C206
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00E7C25B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C26B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00E7C297
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2A7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2D1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2E1

Strings

Software\Borland\Delphi\Locales, xrefs: 00E7C118
Software\Borland\Locales, xrefs: 00E7C0DC, 00E7C0FA

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: a5458535a20ffe70ae862f14291282f184ff711f039207bc68a654b12c11651b
Instruction ID: 2fe32294c74d46e38718232ea81e6b009c0e9321cf719279e4d115f2537cd667
Opcode Fuzzy Hash: a5458535a20ffe70ae862f14291282f184ff711f039207bc68a654b12c11651b
Instruction Fuzzy Hash: 23614F71A0424E7EEB10DAE4CC46FEF77FC9B08704F5094A9B648F6182DAB4DE448B50

Function 00E7C1B7 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00E7C1C8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00E7C1D5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00E7C1DB
lstrlen.KERNEL32(00000000), ref: 00E7C206
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00E7C25B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C26B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00E7C297
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2A7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2D1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00E7C2E1

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction ID: 3a96d6d2253ce5286d2e0bb93f50dc1c6adb6c019e4d36c19e749cfec6adeecf
Opcode Fuzzy Hash: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction Fuzzy Hash: 33313071E0424E7EEF11DAE8CC89BEF77FC9B18304F5095A5A189F2142DAB8DE458B50

Function 00E7E5A5 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00E7E5C0
FindClose.KERNEL32(00000000,00000000,?), ref: 00E7E5CB
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7E5E4
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00E7E5F5

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 7bd837149a773f0bb6b995382b412284bf150fa64dd813bceb362f3db8973c81
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: 93F0F475D0060CA6CB20DAE48D859CEB7EC9B08328F1056A5B52DF2191EB349B444751

Function 00E8D397 Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E8D39B

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 002DA76B Relevance: 32.2, APIs: 12, Strings: 6, Instructions: 702windowsleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002DAA28
TranslateMessage.USER32(?), ref: 002DAB77
DispatchMessageW.USER32(?), ref: 002DAB85
Sleep.KERNEL32(0000000A,?,?), ref: 002DAB8F

Strings

@GUI_WINHANDLE, xrefs: 00319991
@GUI_CTRLID, xrefs: 0031992F
P3:, xrefs: 003199B6
P3:, xrefs: 00319958
@GUI_CTRLHANDLE, xrefs: 003199EF
P3:, xrefs: 00319A14

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Message$DispatchSleepTimeTranslatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$P3:$P3:$P3:
API String ID: 1406140084-3322565093
Opcode ID: 0c740f90f9c55cb599ae162efc4598cdba50506a8514fb80f297a8f8d49b6cfe
Instruction ID: 3038679e63a26f19aadfd8e2ec457bfe81385512b8431536c6cab5fed5ca75c9
Opcode Fuzzy Hash: 0c740f90f9c55cb599ae162efc4598cdba50506a8514fb80f297a8f8d49b6cfe
Instruction Fuzzy Hash: 62521270618342DFD72ACF24C894FAAB7E4BF45304F14851AE59987391DBB4ADA4CB83

Function 00E91B29 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,H!), ref: 00E91C2E
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,H!,00000000,00000000,00000000,00000000,00000000,00000004), ref: 00E91C52
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,H!), ref: 00E91C85
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,H!,00000000,00000000,00000000,00000000,00000000,00000004), ref: 00E91CA5
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,H!,00000000,00000000,00000000,00000000,00000000,00000004), ref: 00E91CD7

Part of subcall function 00E8D7FD: GetTickCount.KERNEL32 ref: 00E8D876

Part of subcall function 00E905C1: MessageBoxA.USER32(00000000,00000000,00E90621,00040040), ref: 00E905F4

GetTickCount.KERNEL32 ref: 00E92110

Strings

NtSetContextThread, xrefs: 00E91ED6
NtTerminateProcess, xrefs: 00E91F7B, 00E92012, 00E92106
NtUnmapViewOfSection, xrefs: 00E91D87
H!, xrefs: 00E91BD1, 00E91C64, 00E920E0, 00E91FEC, 00E91DEB, 00E91F55, 00E91E60, 00E91EFC, 00E91E09, 00E91D5D, 00E91DC8, 00E91DAA, 00E91C8E, 00E91CAE, 00E91C06, 00E91C3B, 00E91C09, 00E91C3E, 00E91C67, 00E91C91, 00E91CB1, 00E91DAD, 00E91DCB, 00E91DEE, 00E91E63, 00E91EFF
execution failure, try to assign other file path, xrefs: 00E91FCA, 00E92060
NtResumeThread, xrefs: 00E91F2D
D, xrefs: 00E91BDE
NtGetContextThread, xrefs: 00E91D2B
NtFreeVirtualMemory, xrefs: 00E920D0

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$H!$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-3865950563
Opcode ID: 1b7010f30dd5f5969989966a52de71225728cf56ffba3eda9ed07148b2ba8938
Instruction ID: 3a2fca8a20fc002ef4ab4100d59ea7593489bd300fa1d3b1f151fc6d8758e24b
Opcode Fuzzy Hash: 1b7010f30dd5f5969989966a52de71225728cf56ffba3eda9ed07148b2ba8938
Instruction Fuzzy Hash: C912CC70A40219AFDF60DBA9CC82FDEB7F9AB08704F145095F658F7281D771AE848B61

Function 002E310D Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002E313C

Part of subcall function 002DF82C: _wcslen.LIBCMT ref: 002DF83F

GetCurrentProcess.KERNEL32(?,0036D9B8,00000000,?,?), ref: 002E3253
IsWow64Process.KERNEL32(00000000,?,?), ref: 002E325A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002E3285
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002E3297
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002E32A5
FreeLibrary.KERNEL32(00000000,?,?), ref: 002E32AC
GetSystemInfo.KERNEL32(?,?,?), ref: 002E32D3

Strings

`#:, xrefs: 002E32BD
l#:, xrefs: 002E3117
l#:, xrefs: 002E318D
kernel32.dll, xrefs: 002E3280
GetNativeSystemInfo, xrefs: 002E3291

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$`#:$kernel32.dll$l#:$l#:
API String ID: 3290436268-1819421591
Opcode ID: a6eb4c1e73646910dcab2dc54969065f0c9c5d32e7b4b311ac66d7d012f3557d
Instruction ID: 34142b9c3218d8918bd6ca7c7d97f24764b3f45b00f9759810024efdf76a6e5c
Opcode Fuzzy Hash: a6eb4c1e73646910dcab2dc54969065f0c9c5d32e7b4b311ac66d7d012f3557d
Instruction Fuzzy Hash: 5B91C13A92A3D2DBCF13C77D7C451AB3FAC6B27700F148899D9819B2A1D2688904DB25

Function 002E2D33 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002E2D63
IsDebuggerPresent.KERNEL32 ref: 002E2D76
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002E2DE2

Part of subcall function 002DF82C: _wcslen.LIBCMT ref: 002DF83F

Part of subcall function 002DA65C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002DA69D

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 002E2E63
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00327988
SetCurrentDirectoryW.KERNEL32(?), ref: 003279C9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00391E24), ref: 00327A52
ShellExecuteW.SHELL32(00000000), ref: 00327A59

Part of subcall function 002E2C51: GetSysColorBrush.USER32(0000000F), ref: 002E2C5C
Part of subcall function 002E2C51: LoadCursorW.USER32(00000000,00007F00), ref: 002E2C6B
Part of subcall function 002E2C51: LoadIconW.USER32(00000063), ref: 002E2C81
Part of subcall function 002E2C51: LoadIconW.USER32(000000A4), ref: 002E2C93
Part of subcall function 002E2C51: LoadIconW.USER32(000000A2), ref: 002E2CA5
Part of subcall function 002E2C51: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E2CBD
Part of subcall function 002E2C51: RegisterClassExW.USER32(?), ref: 002E2D0E

Part of subcall function 002EFBB7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002EFBE5
Part of subcall function 002EFBB7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002EFC06
Part of subcall function 002EFBB7: ShowWindow.USER32(00000000), ref: 002EFC1A
Part of subcall function 002EFBB7: ShowWindow.USER32(00000000), ref: 002EFC23

Part of subcall function 002E34C7: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E3598

Strings

p3:, xrefs: 002E2D86
AutoIt, xrefs: 0032797D
runas, xrefs: 00327A4D
p):, xrefs: 002E2E2E
It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00327982

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$p):$p3:$runas
API String ID: 683915450-3266765435
Opcode ID: 968145b3dce47f9e603ba2da89db14e7a484edc545811a810e56c9f1746a4154
Instruction ID: 3210a54601f0c008d6531a03db3f4010aad9601f9527849365e9558a52a7dcd4
Opcode Fuzzy Hash: 968145b3dce47f9e603ba2da89db14e7a484edc545811a810e56c9f1746a4154
Instruction Fuzzy Hash: CE51283565C381AACF03EF65DC559AF7BACAB46700F44042DF582422E2CB64996DCB62

Function 002E0E5B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D1155: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 002D1173

Part of subcall function 002EFD48: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002E0F35), ref: 002EFD6A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002E0F78
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00326FEF
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00327030
RegCloseKey.ADVAPI32(?), ref: 00327072
_wcslen.LIBCMT ref: 003270D9
_wcslen.LIBCMT ref: 003270E8

Strings

p3:, xrefs: 002E0F9A
\, xrefs: 003270EE
Software\AutoIt v3\AutoIt, xrefs: 002E0F6E
|(:, xrefs: 002E0E75
\Include\, xrefs: 002E0F35
Include, xrefs: 00326FE6, 00327027

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$p3:$|(:
API String ID: 98802146-1920603704
Opcode ID: 94f71b000536b4494a8862c0c84b5b282ecdd7c926d896df3740d1c468d9e280
Instruction ID: 278caa76b4cf7f3ddb87beae51c7f0bd212d1256e772838adb86424d5fd9e407
Opcode Fuzzy Hash: 94f71b000536b4494a8862c0c84b5b282ecdd7c926d896df3740d1c468d9e280
Instruction Fuzzy Hash: ED718B75518301AECB16EF65EC818ABBBECFF4A740F40442EF545872A0EB709A58CF52

Function 002E507A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002E50AD
RegisterClassExW.USER32(00000030), ref: 002E50D7
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E50E8
InitCommonControlsEx.COMCTL32(?), ref: 002E5105
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E5115
LoadIconW.USER32(000000A9), ref: 002E512B
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E513A

Strings

TaskbarCreated, xrefs: 002E50DD
0, xrefs: 002E508F
AutoIt v3 GUI, xrefs: 002E50C9
+, xrefs: 002E5096

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 03d12b2dc4e815e378c3fe7925ab2758603ea5044f5a752d6b9decb326a64591
Instruction ID: 9847375c16c2397ef1619c7aae4be83f646e94c51ea065a3abbb0b579746393a
Opcode Fuzzy Hash: 03d12b2dc4e815e378c3fe7925ab2758603ea5044f5a752d6b9decb326a64591
Instruction Fuzzy Hash: 6621DBB5E01318AFDB02DF98EC89BDEBBB8FB09710F00811AF911A62A0D7B545549F95

Function 00E79819 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 00E7986E
CharNextA.USER32(00000000,00000000), ref: 00E7987A
CharNextA.USER32(00000000,00000000), ref: 00E798A2
CharNextA.USER32(00000000), ref: 00E798AE
CharNextA.USER32(?,00000000), ref: 00E798EF
CharNextA.USER32(00000000,?,00000000), ref: 00E798FB
CharNextA.USER32(00000000,?,00000000), ref: 00E79933
CharNextA.USER32(?,00000000), ref: 00E7993F

Strings

", xrefs: 00E79924
, xrefs: 00E79841
", xrefs: 00E79893

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction ID: 9cfe7a82720c7c5c8f749e39b82a3b20db72c95092b3c319a8433f50619a1660
Opcode Fuzzy Hash: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction Fuzzy Hash: 6E510674A08286DFE735DFA8C484A66BBE5EF5A340F24984DE5C9EB302D331AC40DB51

Function 00310585 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003102C4: CreateFileW.KERNELBASE(00000000,00000000,?,0031062E,?,?,00000000,?,0031062E,00000000,0000000C), ref: 003102E1

GetLastError.KERNEL32 ref: 00310699
__dosmaperr.LIBCMT ref: 003106A0
GetFileType.KERNELBASE(00000000), ref: 003106AC
GetLastError.KERNEL32 ref: 003106B6
__dosmaperr.LIBCMT ref: 003106BF
CloseHandle.KERNEL32(00000000), ref: 003106DF
CloseHandle.KERNEL32(?), ref: 00310829
GetLastError.KERNEL32 ref: 0031085B
__dosmaperr.LIBCMT ref: 00310862

Strings

H, xrefs: 003107E7

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3d027bb84a259206e4b3cecd929459272c7c0a5dca62da0bcdacd36f15946640
Instruction ID: 76d3de1a100498782a340e20f71011f2106115f9952b8efaef1e959be24ec0f5
Opcode Fuzzy Hash: 3d027bb84a259206e4b3cecd929459272c7c0a5dca62da0bcdacd36f15946640
Instruction Fuzzy Hash: 7FA14632A041589FDF1EEF68C8957EE7BA5AB0A320F140149F811AF3D1DBB59892CB51

Function 002E2C51 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002E2C5C
LoadCursorW.USER32(00000000,00007F00), ref: 002E2C6B
LoadIconW.USER32(00000063), ref: 002E2C81
LoadIconW.USER32(000000A4), ref: 002E2C93
LoadIconW.USER32(000000A2), ref: 002E2CA5
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E2CBD
RegisterClassExW.USER32(?), ref: 002E2D0E

Part of subcall function 002E507A: GetSysColorBrush.USER32(0000000F), ref: 002E50AD
Part of subcall function 002E507A: RegisterClassExW.USER32(00000030), ref: 002E50D7
Part of subcall function 002E507A: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E50E8
Part of subcall function 002E507A: InitCommonControlsEx.COMCTL32(?), ref: 002E5105
Part of subcall function 002E507A: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E5115
Part of subcall function 002E507A: LoadIconW.USER32(000000A9), ref: 002E512B
Part of subcall function 002E507A: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E513A

Strings

#, xrefs: 002E2CE4
AutoIt v3, xrefs: 002E2CFD
0, xrefs: 002E2CDD

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: bd3603a3cdb0ca6ff80b05f294d3154a05cd2d643f54760f75a41f492de98aa6
Instruction ID: ad71971226f27b2eddc2fef2518e9f981afa52c8c1d8c05514db66ded6387cbc
Opcode Fuzzy Hash: bd3603a3cdb0ca6ff80b05f294d3154a05cd2d643f54760f75a41f492de98aa6
Instruction Fuzzy Hash: 5221E078E50318AFDF129FA9EC45B9ABFB8FB4A710F00402AF504A62E0D7B64550CF95

Function 00308B75 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5e1f335149c1f65408a0597064813debf222847bf43fdbe44d87848491aaad
Instruction ID: 155ac3901e73285aaecf311035c1726d280893f2854a14ac3bf7a74eefe54ae6
Opcode Fuzzy Hash: 3d5e1f335149c1f65408a0597064813debf222847bf43fdbe44d87848491aaad
Instruction Fuzzy Hash: 74C11570E06349AFDF13DFA8D864BAEBBB4AF1A300F150144E590AB3D2CB749941CB60

Function 00E942B1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,00E94551,00000000), ref: 00E94312
MessageBoxA.USER32(00000000,no data,00E94551,00000000), ref: 00E9438A
GetTickCount.KERNEL32 ref: 00E94422

Strings

Executing manually will not work, xrefs: 00E9430B
no data, xrefs: 00E94383
uPQzHOdQ, xrefs: 00E942E2

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$no data$uPQzHOdQ
API String ID: 1431039135-1731644993
Opcode ID: a5216e5a1322d761092eb1a776fb5c0816378cf134aed37dfacbcaa1f068b7f6
Instruction ID: 49ecb91f74c4716a321d39476d1be21b3ee33601f19298d037e732ae9f8e969e
Opcode Fuzzy Hash: a5216e5a1322d761092eb1a776fb5c0816378cf134aed37dfacbcaa1f068b7f6
Instruction Fuzzy Hash: 3C61FB74600604DFCB10EBA5E882E9D73F1EB88300F51A567F915BB7A9DB30AD4A8B51

Function 00E8D055 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00E914A5,00000001,00000000,00000000,00000000), ref: 00E8D071
MessageBoxA.USER32(00000000,00E8D18D,00E8D189,00000000), ref: 00E8D08B
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00E914A5,00000001,00000000), ref: 00E8D093
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E8D0B5
MessageBoxA.USER32(00000000,00E8D191,00E8D189,00000000), ref: 00E8D0CC
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E8D176

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: 6e89a3003bba3eeb156bc8c0c28fd868161d10e50e388a19bd856a760450b71c
Instruction ID: cbb86780f583d382a4d2f7137acfc1ae5489acece653c91f3cf022ce62311152
Opcode Fuzzy Hash: 6e89a3003bba3eeb156bc8c0c28fd868161d10e50e388a19bd856a760450b71c
Instruction Fuzzy Hash: D831FA74349301AFD254EF29CC85F1AB3E9EF84710F10996DF99CAB392D670E8458B61

Function 002F0A12 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

___scrt_release_startup_lock.LIBCMT ref: 002F0AA4
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 002F0AB8
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 002F0ADD
___scrt_get_show_window_mode.LIBCMT ref: 002F0AEF
___scrt_uninitialize_crt.LIBCMT ref: 002F0B20
___scrt_fastfail.LIBCMT ref: 002F0B6F

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_fastfail___scrt_get_show_window_mode___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 4079798206-0
Opcode ID: b3cd80ccab2d9224b30bcf50082ab235554c2cabb2a264c27e1dcd7163031f51
Instruction ID: a690eb48e025aff0f1e7ed239e1691a3279dae0bf6241d4dc89f705b37c14912
Opcode Fuzzy Hash: b3cd80ccab2d9224b30bcf50082ab235554c2cabb2a264c27e1dcd7163031f51
Instruction Fuzzy Hash: 1A210A2166130EAADA217BB498827BEE3654F427D5F240079F7806B1D3CEA149704E15

Function 00E90CFD Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00E90D8C), ref: 00E90D3D
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00E90D8C), ref: 00E90D4C
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00E90D8C), ref: 00E90D6B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E90D71

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 8d0dc6ff2cb50f49b356164e3eb62cc30a8b6a4df011f1a0001bd5d9fefde9a4
Instruction ID: a1fe3d56531f97769cc2d1b3675586da5e320d5ab3040faa12ce893c7344d2e1
Opcode Fuzzy Hash: 8d0dc6ff2cb50f49b356164e3eb62cc30a8b6a4df011f1a0001bd5d9fefde9a4
Instruction Fuzzy Hash: FD111E70600604BFE720EFB8CC92F5E76ECDB08710F609575B618F6191E6716E008614

Function 002D4293 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

CALL, xrefs: 0031350E
|(:, xrefs: 0031351F

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID:
String ID: CALL$|(:
API String ID: 0-742376880
Opcode ID: b038019fb491d2ca3515b364e5bd04e8e5352a01245894f1faf3facd81878800
Instruction ID: fe8c2dea06c26202b7d37e30e37c6b2fece0c899891814d9943356d4f7290f87
Opcode Fuzzy Hash: b038019fb491d2ca3515b364e5bd04e8e5352a01245894f1faf3facd81878800
Instruction Fuzzy Hash: 21129B705183419FD725EF14C480B6AB7E1BF89300F15896EE99A8B362C771EDA5CF82

Function 002D8E00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002D90D4

Strings

CALL, xrefs: 002D90A4
|(:, xrefs: 002D90B2

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$|(:
API String ID: 1385522511-742376880
Opcode ID: ec7c395b51b2df24fc8c3df3ff60636d3a72f41a97b866c4513ce1d2f1de5b91
Instruction ID: 45cd633e01cf989216f37a0dfe175d845ce19b3409d93ac38ac457ceccc7f731
Opcode Fuzzy Hash: ec7c395b51b2df24fc8c3df3ff60636d3a72f41a97b866c4513ce1d2f1de5b91
Instruction Fuzzy Hash: C691A9B0118201DFCB15DF14C880B6ABBE1BF85314F148959F9995B3A2CB71ED65CF92

Function 002E10B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003271AE

Part of subcall function 002D119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D1192,?), ref: 002D11BF

Part of subcall function 002EFDB9: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002EFDD8

Strings

X, xrefs: 0032717C
(s9, xrefs: 00327192

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: (s9$X
API String ID: 779396738-4059790037
Opcode ID: dff79ba46af4267c29f0f0e93d544e802d61a599e7916b9743d0efa5baae2e01
Instruction ID: 7a00359205613893d13eeb7cad2b63345f4ad3536aebe41ca327462f0d0b8d07
Opcode Fuzzy Hash: dff79ba46af4267c29f0f0e93d544e802d61a599e7916b9743d0efa5baae2e01
Instruction Fuzzy Hash: 4121D834A24298ABCF02DF95DC457EE7BFDAF49310F00401AE904E7281DBF459998FA1

Function 002F042B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0C74

Part of subcall function 002F440C: RaiseException.KERNEL32(?,?,?,002F0C96,?,00000001,?,?,?,?,?,?,002F0C96,?,003994C0), ref: 002F446B

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0C91

Strings

Unknown exception, xrefs: 002F0C9E

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 01fbed31d289a05f4888b85113fe9b187950fc1d70d7d5f1188ddd1957bcfc12
Instruction ID: c1078136bab9b381ea7753875327a36282fe3a43a2866f9a3a0681a85be19622
Opcode Fuzzy Hash: 01fbed31d289a05f4888b85113fe9b187950fc1d70d7d5f1188ddd1957bcfc12
Instruction Fuzzy Hash: 27F0282492020DB78F04FAA9E891EBDF72C4E003C8B908232BB1495493EBB0E535C980

Function 00358974 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00358D10
TerminateProcess.KERNEL32(00000000), ref: 00358D17
FreeLibrary.KERNEL32(?,?,?,?), ref: 00358EF8

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: ec842c90f331f24928e0c148a82e4ee10a80b7b0d8aa567c6c1738edc009aff3
Instruction ID: 2af51094255dbd6233fb47b3f19afba07a6025acdc659780e533a1aaf3892a74
Opcode Fuzzy Hash: ec842c90f331f24928e0c148a82e4ee10a80b7b0d8aa567c6c1738edc009aff3
Instruction Fuzzy Hash: FE126A71A083419FC715CF28C481B6ABBE5BF88315F05895DE8899B362DB31ED49CF92

Function 003084DE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003083FC,?,00399910,0000000C), ref: 00308534
GetLastError.KERNEL32(?,003083FC,?,00399910,0000000C), ref: 0030853E
__dosmaperr.LIBCMT ref: 00308569

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4bf0eef834a8dd812ec54728e059699d0a20d11c1a1945cdbf1b2dbb6d05c1c2
Instruction ID: f360324bc1ba29862cf67e757e681f7e1ee8a690563ffe7510819ab1e9858188
Opcode Fuzzy Hash: 4bf0eef834a8dd812ec54728e059699d0a20d11c1a1945cdbf1b2dbb6d05c1c2
Instruction Fuzzy Hash: 7301DB36A075601AD62B13396C6577F678E4B83734F268219F854DB1D3DE708C818655

Function 00E906BD Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 00E90703
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 00E9072A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 00E9074F

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: d4897849594e60a178ef95272193f56419d18cf259b6a803dd3996fa4897a441
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: 01110375A0011CABDB11EA98DC81EDEB7EEAB48314F105566F618F7241EB709E448BA0

Function 00E90AE1 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B26
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B3E
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B4A

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 71c113f7780988b2d7a5415d46da7f2c93b5f66b914f6b25d07b2f4ddf61b3c9
Instruction ID: 5ca4dba971181ecd37f32ecbe2a5fdc1095ed35ebbf76699abf8b3940daa5f78
Opcode Fuzzy Hash: 71c113f7780988b2d7a5415d46da7f2c93b5f66b914f6b25d07b2f4ddf61b3c9
Instruction Fuzzy Hash: 84018471A00704BEEB21DAA88C83F6EB6ECDB45B24F619175F618F31D0E7B05E009564

Function 00E78195 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00E78528), ref: 00E781C4
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00E78528), ref: 00E781EB

Strings

|, xrefs: 00E781D3

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: |
API String ID: 2087232378-1049989498
Opcode ID: 9f749ba4c1383ab14612685fd1b565f075e3dc1d3cbb632ba9a4cd408b8ed186
Instruction ID: 5450c0ff5e0ad0bb078092243147ec5da237583b9d6084b350a036b0e3a699d1
Opcode Fuzzy Hash: 9f749ba4c1383ab14612685fd1b565f075e3dc1d3cbb632ba9a4cd408b8ed186
Instruction Fuzzy Hash: C5F027B2B4262017EB60DA6C4D89F525AD49F95790F159070F94CFF3C8CBA18C0282A1

Function 00E92A95 Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00E92B9A), ref: 00E92B0F
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00E92B9A), ref: 00E92B43

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: beecb88b0930666e5c422543f84d4ce7f25825666046fbbb371b3bd4a6610b2d
Instruction ID: dc06c08ecad02509d0ed353ad43c62fd8a7f0c46f75a248ccbf1b6339bf250ab
Opcode Fuzzy Hash: beecb88b0930666e5c422543f84d4ce7f25825666046fbbb371b3bd4a6610b2d
Instruction Fuzzy Hash: 29315E31E00208BFDF21DAA4C881BDEB7F9EB44300F5494A9FA14F3281E7759A458710

Function 00E78339 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00E783D2

Strings

|, xrefs: 00E78383, 00E783E7

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: |
API String ID: 4275171209-1049989498
Opcode ID: b7817dfab5660ec01ec729f1aca57a123e7a728b1ab4a2f358a02efdde6af2cf
Instruction ID: 077b7b383f9aefdb9b3b2698cc37c736ed5d3f0cf4ac0cffcff3519efce1bb62
Opcode Fuzzy Hash: b7817dfab5660ec01ec729f1aca57a123e7a728b1ab4a2f358a02efdde6af2cf
Instruction Fuzzy Hash: C821FFB0244242EFCB50CF2CD984A9ABBE0FFA8714F108969F999DB350D730E904CB52

Function 00E78271 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E782EA

Strings

|, xrefs: 00E78296, 00E7830A

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: FreeVirtual
String ID: |
API String ID: 1263568516-1049989498
Opcode ID: 2468c036a3621ec6d25cafcea5af33c1d1d5fb6dd3a820f707e6af8cdeae6aff
Instruction ID: 0d7a153194c416cb486af45b44897d937caa95744c29c0649a78e5e0f8bed696
Opcode Fuzzy Hash: 2468c036a3621ec6d25cafcea5af33c1d1d5fb6dd3a820f707e6af8cdeae6aff
Instruction Fuzzy Hash: 5C21B074644302AFC350DF1DD988A0ABBE1EB98720F24C92EE4D897361D731E944CB56

Function 00E783F9 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00E78489

Strings

|, xrefs: 00E78441, 00E784A2

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: FreeVirtual
String ID: |
API String ID: 1263568516-1049989498
Opcode ID: 65b3f73c90bb03f5439f803a8117ae39b8ed3412679b7f2e468377686ead5149
Instruction ID: d0ebe1e53b7b3f034987109476aaf68a53001a56312f47593c13557ef955ba5f
Opcode Fuzzy Hash: 65b3f73c90bb03f5439f803a8117ae39b8ed3412679b7f2e468377686ead5149
Instruction Fuzzy Hash: 1421E3B5244302DFC760CF28D984A5AB7E0FF99310B108959E5A8EB314E770E908CF52

Function 00E90CF2 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00E90D8C), ref: 00E90D6B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E90D71

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 83636c7858381a764d5607983684025f987ed1fa5f4fb355f7c446a5ca1f9f46
Instruction ID: 91566c1548491d3e995266e648f008104f63a08ecea60e34e5487d275acb4738
Opcode Fuzzy Hash: 83636c7858381a764d5607983684025f987ed1fa5f4fb355f7c446a5ca1f9f46
Instruction Fuzzy Hash: 5BE0BFB5504204AFEB14EFA4D892EADB7ECEF44300FA0A475B558E6145DA74AA009B20

Function 00E90689 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,00E92E5D,00000000,00E92FC4,?,?,00000000,00000000), ref: 00E90695
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,00E92E5D,00000000,00E92FC4,?,?,00000000,00000000), ref: 00E906B2

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2322c5053fb42436831286030d8023206803bd5b9f693278f3b2b0df1fe8d399
Instruction ID: 5a7ae945018487d19801662f27a787c7ff4ffccc5136969f94b60752dec86378
Opcode Fuzzy Hash: 2322c5053fb42436831286030d8023206803bd5b9f693278f3b2b0df1fe8d399
Instruction Fuzzy Hash: E0D0C781F117205ACD2131BC1CC6F5B01CD8B59774B646611F538F3583E7568DD10190

Function 00E93CF5 Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00E94055,00000000,00E94070,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E93CF7
TerminateProcess.KERNEL32(00000000,00000000,00E94055,00000000,00E94070,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E93CFD

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: 82dbb97f5c03b5643b0f5ea8d6b2b83e3197c0b874f150a6751d85c45b38201b
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: C99002855D560014D86032B00C57F19448C5B40716FE0B458F20CB5186489840000121

Function 002FEC36 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af7cd571246b23d8ee472ca723441a24673c7737eab510d91e5e5f5640baa5f
Instruction ID: 3fcd3073114fa58fcf2b0299ceb9731202f599847adf6f374e0b4dca1100dc20
Opcode Fuzzy Hash: 0af7cd571246b23d8ee472ca723441a24673c7737eab510d91e5e5f5640baa5f
Instruction Fuzzy Hash: 4B51FB31A1010DAFDF12DF18C840B79BBB9EF853A4F1A8164E9189B3A1C771DD52CB90

Function 00340156 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0034016F

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: fd0dfad59dac8a42cdf832fa6d4ed2f1ae55509e60e186d212caf325328bf1b3
Instruction ID: b4bcade7ab05d926b2a292d7cd5bbabbb686814b15995b010e5d215cf188c96a
Opcode Fuzzy Hash: fd0dfad59dac8a42cdf832fa6d4ed2f1ae55509e60e186d212caf325328bf1b3
Instruction Fuzzy Hash: 9F418676600209AFDB16DFA4C8819AEB7F9FF44310B11892EE6569B291DB70EE448F50

Function 002F02C0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 002F036F

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 8e482854e71b5e0b7c357d99ad602f785c8b83f8ec3194d36771b65941574620
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D631E370A1010ADBC718CF58C4D497DF7A6FB49380B2486E5E909CB256D731EDE1CB90

Function 002E27CA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E290F: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E27DC,?,?,002E058E,?,00000001), ref: 002E291B
Part of subcall function 002E290F: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E292D
Part of subcall function 002E290F: FreeLibrary.KERNEL32(00000000,?,?,002E27DC,?,?,002E058E,?,00000001), ref: 002E293F

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002E058E,?,00000001), ref: 002E27FC

Part of subcall function 002E28D8: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003277B4,?,?,002E058E,?,00000001), ref: 002E28E1
Part of subcall function 002E28D8: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E28F3
Part of subcall function 002E28D8: FreeLibrary.KERNEL32(00000000,?,?,003277B4,?,?,002E058E,?,00000001), ref: 002E2906

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 288b8ca54475e810daadd3bb7b4c0d7a0b013fddf4b496583ae6b20c7639b501
Instruction ID: a3d41dc9785cedbb1eacab4d430900646470525f8c7a81a7830519619269ab7e
Opcode Fuzzy Hash: 288b8ca54475e810daadd3bb7b4c0d7a0b013fddf4b496583ae6b20c7639b501
Instruction Fuzzy Hash: 8C1108316A0249EACF15FF25C902BAD77A8DF40710F90842DF443961C1DE715A299B60

Function 00E8D7FD Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E8D876

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: e05db01a2dd0211474c15012bf597f0e361d39c9b5493031b1065bcab0a3f0b5
Instruction ID: f0140ec92360b594aea51663f8563f89fcc92a1e7432605b046f2157b48f1589
Opcode Fuzzy Hash: e05db01a2dd0211474c15012bf597f0e361d39c9b5493031b1065bcab0a3f0b5
Instruction Fuzzy Hash: 0D11F1B4E04309AFCF04DF99C8818AEB7F9FB48710B509465F818A7341D730AE108F91

Function 00308232 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00308270

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 64ba64d267795046e2162a5fac2bfd2130c38f5813e9b3dd51b512ad5de587b5
Instruction ID: a21e32c36ed3b434c3fa0d31e2ee7fb325d7e892242248dfb279a538cde31a20
Opcode Fuzzy Hash: 64ba64d267795046e2162a5fac2bfd2130c38f5813e9b3dd51b512ad5de587b5
Instruction Fuzzy Hash: AF112A7590510AAFCF06DF58E94199E7BF8EF48310F114459FC09AB351D631EA21CBA5

Function 00304E2C Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0030287C: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00302D00,00000001,00000364,?,?,?,003026D1,0030281A,?,?,002DFC79,?), ref: 003028BD

_free.LIBCMT ref: 00304E98

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c57330368dedb74c64afd24965cb97a48ffaf81de64891be2ccdd6010017c593
Instruction ID: f8495f1d53a04cc6e0e6640bc02a113c3ac71176bb5ce83ad94263300d93e973
Opcode Fuzzy Hash: c57330368dedb74c64afd24965cb97a48ffaf81de64891be2ccdd6010017c593
Instruction Fuzzy Hash: FB01D6B2201305ABE3228F69D895A5AFBDDFB85370F25051DE694872C0EA30A905C764

Function 002FE4A2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2009a02d5f339f5257c59c963c83ace43b5680a0de814ef047c30addbb01e52
Instruction ID: 159880099b7e65983f70fb6b7e34816c7b706e99a6fc979eff52f3d015ce856b
Opcode Fuzzy Hash: b2009a02d5f339f5257c59c963c83ace43b5680a0de814ef047c30addbb01e52
Instruction Fuzzy Hash: 44F07D3252261D5ADA333E29CC19B7BB3488F413B4F110B25F7659B0E2DF70D81187A1

Function 00E92BE3 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00E92C16

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f3c9aa981de00efd08ed2294cf79377c231f131312860de0faba8aa352c284c4
Instruction ID: 65eab2cc4db227be7996b0cb7c9cd562bda06d0ff5edac8f72297470d44b7ba6
Opcode Fuzzy Hash: f3c9aa981de00efd08ed2294cf79377c231f131312860de0faba8aa352c284c4
Instruction Fuzzy Hash: EFF04471A04108BFDB14EA9DDC81FAFBBED9B49310F149166FA1CE7351D6719D0087A1

Function 00E92BE5 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00E92C16

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c1d0b103646b8e9feab77da548537067d4a3a05487d38df65781f15ee58d9a99
Instruction ID: 13404b6060cfd1a47e12efa5cc9ec14056506086d8ed75141e1e06df5ac86522
Opcode Fuzzy Hash: c1d0b103646b8e9feab77da548537067d4a3a05487d38df65781f15ee58d9a99
Instruction Fuzzy Hash: D3F04471A04108BBCB14EA9DDC81F9FBBED9B49310F149166FA1CE7351D6719D0087A1

Function 0030287C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00302D00,00000001,00000364,?,?,?,003026D1,0030281A,?,?,002DFC79,?), ref: 003028BD

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1d26467b65dc3888d2cd75b3f29f2010e3a7957095bc679a9187252820c6a330
Instruction ID: 7b475b38fc0dfca13408f313ccee12ee73a2d60eff6dc49e45b33f64be69d954
Opcode Fuzzy Hash: 1d26467b65dc3888d2cd75b3f29f2010e3a7957095bc679a9187252820c6a330
Instruction Fuzzy Hash: 23F0B43960222966EB232B269C2DB6B779CBF417A0B26C161F815AA1D4DB70D80087F0

Function 00E7C979 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00E7C9AB

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 4ef9e1e06d622049684edb1c8c6f40fc91679e83efa838ee35e3be2c1829bde2
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 3EF030727005109FCB51EA6CC8C1F9A72DC9B88355B14D065B74CEB359DB60DC4587A2

Function 0030282E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000001,?,002F0445,?,?,002DFA72,00000000,?,?,?,002D1188,?), ref: 00302860

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 049663c6b66066903bde5365311fdffbd3c0df0df951e387ae784616753fa8f0
Instruction ID: c4fe11acbc81a2a19376948fc7940e3e9997668ebaf75d0897c188adc0e929b2
Opcode Fuzzy Hash: 049663c6b66066903bde5365311fdffbd3c0df0df951e387ae784616753fa8f0
Instruction Fuzzy Hash: 81E0E5391022295AD62336665C1C76B7A4CAF023A0F16C121FD45965D1CA90CC0087A0

Function 002E283A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195d9f40450377a24953f430e1837228e240c7004da54213acd65805d4fed96c
Instruction ID: 43dbc146078e19ebb84b25b086f8a2c0a2fa7fa21e9ce41c9f3baafabff5c730
Opcode Fuzzy Hash: 195d9f40450377a24953f430e1837228e240c7004da54213acd65805d4fed96c
Instruction Fuzzy Hash: C1F0A970555312CFCB358F25E880826BBE9BF003293208A7EE2D782620C372A854CF60

Function 00304BA6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00304BC8

Part of subcall function 003027F4: RtlFreeHeap.NTDLL(00000000,00000000,?,002DFC79,?,?,002D111E), ref: 0030280A

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: FreeHeap_free
String ID:
API String ID: 3249267023-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 4af56eaceee8dc701ef33b100c0cf280382d20bad37a16862381636650444c59
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 63E0927A1053059FC725DF6DE410B82B7E4EF843603218529E99DD7250D731F812CB80

Function 002E28AC Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002E28CA

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction ID: 4d498275ff7ab9c4e172dbffec7711a9133733ec618512748ffc3a65409b600f
Opcode Fuzzy Hash: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction Fuzzy Hash: 4FF0587240020DFFDF05CF80C941EAABB79FF04314F208189F9148A212D332EA21EBA1

Function 00E7BE19 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(002D0000,?,00000105), ref: 00E7BE37

Part of subcall function 00E7C0AD: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00E7C0C8
Part of subcall function 00E7C0AD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C0E6
Part of subcall function 00E7C0AD: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C104
Part of subcall function 00E7C0AD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00E7C122
Part of subcall function 00E7C0AD: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00E7C16B
Part of subcall function 00E7C0AD: RegQueryValueExA.ADVAPI32(?,00E7C32D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001), ref: 00E7C189
Part of subcall function 00E7C0AD: RegCloseKey.ADVAPI32(?,00E7C1B8,00000000,00000000,00000005,00000000,00E7C1B1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E7C1AB

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: 7d20dc38a3d390e47a680d4a9b343fec5a321926169aae66401b268200d97c61
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: 91E06D71A003148BCB10DE5888C1A8733E8AF08758F009995AD68DF34AD371DD2487D1

Function 00E7E61D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00E9021F,00000000,00E9262F,00E927D5,?,c:\,00E927D5,?,c:\), ref: 00E7E628

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d9ea6dab54ef532fb87bc64f2264bfe69af9be573fabfd3a2d7305f2dc2b692b
Instruction ID: b0fe6fc083be7f635d753bec2a4fd7649f8bfb4cbcb5da7f2df1ebba498b5a91
Opcode Fuzzy Hash: d9ea6dab54ef532fb87bc64f2264bfe69af9be573fabfd3a2d7305f2dc2b692b
Instruction Fuzzy Hash: 1EC08CA06112000A5E30A2FC1CC110A02C95A2C23C320BAA5F03CF22C2E312C8522010

Function 003102C4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0031062E,?,?,00000000,?,0031062E,00000000,0000000C), ref: 003102E1

Memory Dump Source

Source File: 0000002D.00000002.2963731403.00000000002D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000002D.00000002.2963708420.00000000002D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.000000000036D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963913988.0000000000391000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963972003.000000000039D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002D.00000002.2963994434.00000000003A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction ID: 752b8f3b30ed61f06531acb909488c8d639cc24e52bb52b5793b6f8f2ff422b1
Opcode Fuzzy Hash: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction Fuzzy Hash: 43D06C3210010DBBDF028F84DD06EDA3BAAFB4C714F018000FE1856020C772E821AB90

Function 00E7E935 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00E9022A,00000000,00E9262F,00E927D5,?,c:\,00E927D5,?,c:\), ref: 00E7E942

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: f3706b27ca1747f93cc4cd9e7ed895c6d81b0dd54962bce05e3f63b83bf3e94e
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: A4B012D2B713405BEE2035F81CE2F2F00CDDB04A06F206C35F259E6143E577C8450410

Function 00E90B75 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90AE1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B26
Part of subcall function 00E90AE1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B3E
Part of subcall function 00E90AE1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B4A

Sleep.KERNEL32(00000002,00000000,00E90BE6), ref: 00E90BC6

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 21ae6d8886bc8d5191860912279505c19bb37bffdb4b2f6364f60fff6bfbd6e0
Instruction ID: 57b25b4db9b635ffef950c9c36099acfad2d3d4232a353018b7f23f407d2127b
Opcode Fuzzy Hash: 21ae6d8886bc8d5191860912279505c19bb37bffdb4b2f6364f60fff6bfbd6e0
Instruction Fuzzy Hash: 35F06870A04608EFDB15EBA8C852A9EB7F8EB48710F9090B5F508F7691EB709E40D651

Function 00E90BEC Relevance: 1.3, APIs: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90AE1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B26
Part of subcall function 00E90AE1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B3E
Part of subcall function 00E90AE1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00E90B65), ref: 00E90B4A

Sleep.KERNEL32(00000002,00000000,00E90BE6), ref: 00E90BC6

Memory Dump Source

Source File: 0000002D.00000002.2965202815.0000000000E75000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_e75000_file.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 29e9c8c051b88c965c0052c8ac0b415f771b4b4b6509a6246b541ef195558393
Instruction ID: 2892ab4d207fd937a7a2466fc5d6a87a5aff0b26cdc6c7dddc5756f17c49cf5f
Opcode Fuzzy Hash: 29e9c8c051b88c965c0052c8ac0b415f771b4b4b6509a6246b541ef195558393
Instruction Fuzzy Hash: C5F06870A04604EFDF15EBA8C852AAEB7F9EB88304F9094B5F40CF7551E7715E41D610

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 740d3a.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\3fe04d.rbs

C:\Config.Msi\3fe04f.rbs

C:\ProgramData\doW4t2.a3x

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\AI_F78C.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ax5gg51.mrc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ceqbq3pg.ik3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hq41r5ld.5xg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5eynkwf.21d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khge5aeh.ut0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pj3du2ww.13m.psm1

C:\Users\user\AppData\Local\Temp\is-2LPQH.tmp\Vista Software.tmp

Windows Analysis Report
740d3a.msi

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre