Edit tour

Windows Analysis Report
i9DKxTZoVd.exe

Overview

General Information

Sample name:	i9DKxTZoVd.exe
Analysis ID:	1572121
MD5:	108b6783fb581f9f9ce33936379ee0cd
SHA1:	d929bf4e5fa60a1084314149628458d44d2c2a83
SHA256:	02adaac35a67006fb3424a7e8264fccac9b54e2791f333f16bae2f3245efb4d7
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Loading BitLocker PowerShell Module

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Uses Register-ScheduledTask to add task schedules

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64native

i9DKxTZoVd.exe (PID: 7076 cmdline: "C:\Users\user\Desktop\i9DKxTZoVd.exe" MD5: 108B6783FB581F9F9CE33936379EE0CD)

i9DKxTZoVd.tmp (PID: 7504 cmdline: "C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp" /SL5="$1041C,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" MD5: 14C6FA8E50B4147075EB922BD0C8B28D)

cmd.exe (PID: 3540 cmdline: "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

timeout.exe (PID: 3600 cmdline: timeout /T 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

i9DKxTZoVd.exe (PID: 4536 cmdline: "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: 108B6783FB581F9F9CE33936379EE0CD)

i9DKxTZoVd.tmp (PID: 8160 cmdline: "C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp" /SL5="$20468,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: 14C6FA8E50B4147075EB922BD0C8B28D)

regsvr32.exe (PID: 4232 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 4752 cmdline: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 4292 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5652 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

regsvr32.exe (PID: 3552 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 7388 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 4752, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", ProcessId: 4292, ProcessName: powershell.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 88.99.161.62, DestinationIsIpv6: false, DestinationPort: 56001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 4752, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49761

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp" /SL5="$20468,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES, ParentImage: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp, ParentProcessId: 8160, ParentProcessName: i9DKxTZoVd.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", ProcessId: 4232, ProcessName: regsvr32.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 4752, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", ProcessId: 4292, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 4752, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }", ProcessId: 4292, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T07:00:59.505222+0100	2035595	1	Domain Observed Used for C2 Detected	88.99.161.62	56001	192.168.11.20	49761	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Swallow.dat (copy)	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\is-N7DV6.tmp	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: i9DKxTZoVd.exe	ReversingLabs: Detection: 39%
Source: i9DKxTZoVd.exe	Virustotal: Detection: 22%			Perma Link

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB99056C30 BCryptGenRandom,SystemFunction036,

14_2_00007FFB99056C30

Source: i9DKxTZoVd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cloudy Floor_is1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB9901D310 NetUserEnum,NetUserGetInfo,memcpy,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,LsaEnumerateLogonSessions,LsaFreeReturnBuffer,LsaGetLogonSessionData,memcmp,LsaFreeReturnBuffer,memcmp,

14_2_00007FFB9901D310

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 88.99.161.62:56001 -> 192.168.11.20:49761

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 88.99.161.62 56001

Jump to behavior

Uses dynamic DNS services

Source: unknown

DNS query: name: 1hvnc.duckdns.org

Source: global traffic

TCP traffic: 192.168.11.20:49761 -> 88.99.161.62:56001

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 1hvnc.duckdns.org

Source: regsvr32.exe, 0000000E.00000003.101876266085.00000000053B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digic
Source: regsvr32.exe, 00000009.00000003.101745297574.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101956821107.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101744354529.00000000050D7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101940941733.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101747125678.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748685259.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101746518370.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101751706370.0000000005100000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101741715743.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101752875137.0000000005102000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748153353.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102062176560.00000000057C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 0000000A.00000002.101802236942.000002A4E6A5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000A.00000002.101802236942.000002A4E6A45000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000F.00000002.102015220848.000001E27587D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: regsvr32.exe, 00000009.00000003.101745297574.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101956821107.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101744354529.00000000050D7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101940941733.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101747125678.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748685259.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101746518370.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101751706370.0000000005100000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101741715743.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101752875137.0000000005102000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748153353.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102062176560.00000000057C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: powershell.exe, 0000000A.00000002.101798259193.000002A4DE8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.101779809519.000002A4CFD3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101896209492.0000025DB1525000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA29A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101994038719.000001E26D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: regsvr32.exe, 00000009.00000003.101745297574.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101956821107.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101744354529.00000000050D7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101940941733.0000000005046000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101747125678.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748685259.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101746518370.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101751706370.0000000005100000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101741715743.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101752875137.0000000005102000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101748153353.00000000050C1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102062176560.00000000057C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzA
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CE851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA14B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D2A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA256D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzA
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: i9DKxTZoVd.exe, 00000000.00000003.101663444971.0000000002500000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.exe, 00000000.00000003.101663862917.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.tmp, 00000001.00000000.101665254233.0000000000401000.00000020.00000001.01000000.00000004.sdmp, i9DKxTZoVd.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: regsvr32.exe, 00000009.00000003.101952377109.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005554000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005319000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005319000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.000000000584B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/support/gfx_feedbackx;
Source: powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micrm/pki/certs/MicR_2010-06-23.crt0
Source: powershell.exe, 0000000A.00000002.101802236942.000002A4E6A5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: i9DKxTZoVd.exe, 00000000.00000003.101663444971.0000000002500000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.exe, 00000000.00000003.101663862917.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.tmp, 00000001.00000000.101665254233.0000000000401000.00000020.00000001.01000000.00000004.sdmp, i9DKxTZoVd.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CE851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA14B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D2A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: regsvr32.exe, 00000009.00000003.101731450336.0000000005084000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953113164.0000000005239000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101732892581.0000000005084000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101733366336.0000000005098000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953392054.0000000005255000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952282689.0000000005239000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102031668502.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101871816850.000000000545D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: i9DKxTZoVd.tmp, 00000007.00000003.101705778461.0000000006000000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/r
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/#
Source: regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/.
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/C
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/Y
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXzA
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 0000000A.00000002.101798259193.000002A4DE8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.101779809519.000002A4CFD3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101896209492.0000025DB1525000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA29A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101994038719.000001E26D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.101802236942.000002A4E6A5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 0000000C.00000002.101837470212.0000025DA256D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/g
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/)
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/m
Source: regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/.
Source: regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/E

Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990119D0 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,RtlFreeHeap,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,GetProcessTimes,	14_2_00007FFB990119D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99014570 NtQuerySystemInformation,memcpy,RtlFreeHeap,RtlFreeHeap,	14_2_00007FFB99014570
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF87B0 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,	14_2_00007FFB98FF87B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFB5B983061	12_2_00007FFB5B983061
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990119D0	14_2_00007FFB990119D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9909BA70	14_2_00007FFB9909BA70
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9901F8A0	14_2_00007FFB9901F8A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF1CC0	14_2_00007FFB98FF1CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF4140	14_2_00007FFB98FF4140
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9909D3C0	14_2_00007FFB9909D3C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FFD2B0	14_2_00007FFB98FFD2B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990EE9B0	14_2_00007FFB990EE9B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990849F0	14_2_00007FFB990849F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FFBA60	14_2_00007FFB98FFBA60
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9907CA60	14_2_00007FFB9907CA60
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9900E930	14_2_00007FFB9900E930
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99010960	14_2_00007FFB99010960
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99018BC0	14_2_00007FFB99018BC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99072BE0	14_2_00007FFB99072BE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99017BE0	14_2_00007FFB99017BE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF7C20	14_2_00007FFB98FF7C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990D5C50	14_2_00007FFB990D5C50
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9901BAC0	14_2_00007FFB9901BAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9900FB50	14_2_00007FFB9900FB50
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990A5DA0	14_2_00007FFB990A5DA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990A2E10	14_2_00007FFB990A2E10
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99014E00	14_2_00007FFB99014E00
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99046E20	14_2_00007FFB99046E20
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99005CA0	14_2_00007FFB99005CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FFDD10	14_2_00007FFB98FFDD10
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990DFD40	14_2_00007FFB990DFD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990E8D60	14_2_00007FFB990E8D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9900EFF0	14_2_00007FFB9900EFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990EEFF0	14_2_00007FFB990EEFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99018040	14_2_00007FFB99018040
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99018EA0	14_2_00007FFB99018EA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99005CA0	14_2_00007FFB99005CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FFDD10	14_2_00007FFB98FFDD10
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990691C0	14_2_00007FFB990691C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990951C0	14_2_00007FFB990951C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990CB1F0	14_2_00007FFB990CB1F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99000220	14_2_00007FFB99000220
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99010270	14_2_00007FFB99010270
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99003290	14_2_00007FFB99003290
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990630E0	14_2_00007FFB990630E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99002130	14_2_00007FFB99002130
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99022170	14_2_00007FFB99022170
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF8160	14_2_00007FFB98FF8160
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99002470	14_2_00007FFB99002470
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990022F0	14_2_00007FFB990022F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99092310	14_2_00007FFB99092310
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990EB330	14_2_00007FFB990EB330
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB9900F5A0	14_2_00007FFB9900F5A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990CD5A0	14_2_00007FFB990CD5A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990025F0	14_2_00007FFB990025F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990A2570	14_2_00007FFB990A2570
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB98FF87B0	14_2_00007FFB98FF87B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99062850	14_2_00007FFB99062850
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB990866A0	14_2_00007FFB990866A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 14_2_00007FFB99099730	14_2_00007FFB99099730

Source: C:\Windows\System32\regsvr32.exe

Code function: String function: 00007FFB990D8D00 appears 63 times

Source: i9DKxTZoVd.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: i9DKxTZoVd.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: i9DKxTZoVd.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: i9DKxTZoVd.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: i9DKxTZoVd.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-8SV5O.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-8SV5O.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-N7DV6.tmp.7.dr

Static PE information: Number of sections : 11 > 10

Source: i9DKxTZoVd.exe, 00000000.00000003.101663444971.0000000002612000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs i9DKxTZoVd.exe
Source: i9DKxTZoVd.exe, 00000000.00000003.101663862917.000000007FE3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs i9DKxTZoVd.exe

Source: i9DKxTZoVd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/24@1/1

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB98FFFA70 GetDiskFreeSpaceExW,

14_2_00007FFB98FFFA70

Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

File created: C:\Users\user\AppData\Local\unins000.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\DefaultMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:304:WilStaging_02
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\52d4ec474c5e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe

File created: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp

Jump to behavior

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: i9DKxTZoVd.exe	ReversingLabs: Detection: 39%
Source: i9DKxTZoVd.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe

File read: C:\Users\user\Desktop\i9DKxTZoVd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\i9DKxTZoVd.exe "C:\Users\user\Desktop\i9DKxTZoVd.exe"
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp "C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp" /SL5="$1041C,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\i9DKxTZoVd.exe "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp "C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp" /SL5="$20468,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp "C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp" /SL5="$1041C,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\i9DKxTZoVd.exe "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp "C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp" /SL5="$20468,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: perfos.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cloudy Floor_is1

Jump to behavior

Source: i9DKxTZoVd.exe

Static file information: File size 1336796 > 1048576

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB98FF8160 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,

14_2_00007FFB98FF8160

Source: _setup64.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: is-8SV5O.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0x12dcf2
Source: is-N7DV6.tmp.7.dr	Static PE information: real checksum: 0x1b9034 should be: 0x1b957a
Source: i9DKxTZoVd.exe	Static PE information: real checksum: 0x0 should be: 0x14a56e
Source: _setup64.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: i9DKxTZoVd.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x127e44
Source: i9DKxTZoVd.tmp.6.dr	Static PE information: real checksum: 0x0 should be: 0x127e44

Source: is-N7DV6.tmp.7.dr

Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB5B78D2A5 pushad ; iretd	10_2_00007FFB5B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB5B8A05C0 pushad ; retf	10_2_00007FFB5B8A05ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB5B8A00BD pushad ; iretd	10_2_00007FFB5B8A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFB5B79D2A5 pushad ; iretd	12_2_00007FFB5B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFB5B8B7542 push ebx; iretd	12_2_00007FFB5B8B754A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFB5B8B00BD pushad ; iretd	12_2_00007FFB5B8B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFB5B982566 push 8B485F91h; iretd	12_2_00007FFB5B98256B

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	File created: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Roaming\is-N7DV6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	File created: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\is-8SV5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Roaming\Swallow.dat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\D1B229C21A0A68AF7DA7312615A134A4 4227e685a575a865fa232fa6c9abd427

Jump to behavior

Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\i9DKxTZoVd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101957876341.000000000522F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101942743810.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101951234755.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101935437421.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101954673010.000000000509C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953465568.00000000050BA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101955689436.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101939285418.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101929916037.00000000050D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE]
Source: regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101957876341.000000000522F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101942743810.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101951234755.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101935437421.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101954673010.000000000509C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953465568.00000000050BA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101955689436.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101939285418.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101929916037.00000000050D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE/
Source: regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101957876341.000000000522F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101929916037.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101957639012.000000000522C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101751947983.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101930271118.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101887332084.00000000054A9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101888466858.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101888208763.00000000054A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXEQ5

Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 5C20000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1DFE0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 9927	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9895	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9900

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-N7DV6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-8SV5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Swallow.dat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-26632

Source: C:\Windows\System32\regsvr32.exe

API coverage: 8.9 %

Source: C:\Windows\System32\regsvr32.exe TID: 1372	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep count: 9895 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4288	Thread sleep count: 9915 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3484	Thread sleep count: 9900 > 30

Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB9907A170 GetSystemInfo,

14_2_00007FFB9907A170

Source: C:\Windows\System32\regsvr32.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service6
Source: regsvr32.exe, 0000000E.00000003.101835410052.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101847395804.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101840433580.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Sched
Source: regsvr32.exe, 0000000E.00000003.101841221752.0000000003088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgga]
Source: regsvr32.exe, 0000000E.00000003.101835729496.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838409957.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838372437.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101835764971.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101840971855.0000000003088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccessful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgga]
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesows\
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processors2.sys
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitionmunb3
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitionvity
Source: regsvr32.exe, 0000000E.00000003.101834884718.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101834734505.0000000002F55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Contex
Source: regsvr32.exe, 0000000E.00000003.101835729496.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101834255055.000000000306B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101835892541.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838409957.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101849833577.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101841368765.000000000306B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838372437.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101841221752.0000000003088000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838685116.000000000306B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101834153989.0000000003031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848P
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisori
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipesJb
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000009.00000003.101720053485.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101711754873.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101720170362.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Tr
Source: regsvr32.exe, 0000000E.00000003.101834631814.0000000002F59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101834336339.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101836256303.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101833974413.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorP
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition.dll>$
Source: regsvr32.exe, 00000009.00000003.101712142747.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequenc
Source: regsvr32.exe, 00000009.00000003.101712472154.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: regsvr32.exe, 0000000E.00000003.101834840785.0000000002F31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctive Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost\"9
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitionows\
Source: regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.00000000057BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys9
Source: regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.00000000057BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitiong
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorC<
Source: regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.00000000057BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processori
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid PartitionZ9uj
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisory
Source: regsvr32.exe, 00000009.00000003.101720363736.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101846931416.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition'}]
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesd
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: regsvr32.exe, 0000000E.00000003.101847660733.0000000002F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt No
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: powershell.exe, 0000000F.00000002.101994038719.000001E26D311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 0000000E.00000003.101847123517.0000000002F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: regsvr32.exe, 0000000E.00000003.101834437886.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101834665417.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Proce
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor+rb
Source: regsvr32.exe, 00000009.00000003.101713203268.0000000001098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitionz
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.00000000057BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitiond
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: regsvr32.exe, 0000000E.00000003.101833418493.0000000002F66000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101837328418.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitec
Source: regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.00000000057BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root PartitionlO
Source: powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101889558229.0000000001377000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: regsvr32.exe, 00000009.00000003.101720211745.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshoth57
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceJ
Source: regsvr32.exe, 0000000E.00000003.101849158572.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101840281423.0000000002F96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101837951838.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101847452097.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101848153289.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101847619936.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Int
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 00000009.00000003.101743560036.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101947276329.0000000005204000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.000000000514F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056814035.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.102056911334.0000000001378000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102054265581.0000000001375000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101880620764.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102046538179.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102042264213.000000000551A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101883897736.0000000005837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 0000000E.00000003.101848041817.000000000305D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101839274338.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101837016344.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101836679600.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101848263522.000000000305D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101847992575.000000000305D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101836979847.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101848983176.000000000305D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101838739729.0000000003069000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101848546656.000000000305D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active
Source: regsvr32.exe, 00000009.00000003.101740776394.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101743560036.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.102021982749.0000000001048000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101753563395.0000000001047000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101945353633.00000000051CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101959050599.0000000001047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionn

Source: C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

14_2_00007FFB98FF8160

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB990119D0 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,RtlFreeHeap,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,GetProcessTimes,

14_2_00007FFB990119D0

Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\regsvr32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 88.99.161.62 56001

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\regsvr32.exe

Thread register set: 4752 5

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\i9DKxTZoVd.exe "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\swallow.dat\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{5af4b0cc-a257-4a7e-e201-d5df536679fb}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\swallow.dat\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{5af4b0cc-a257-4a7e-e201-d5df536679fb}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"			Jump to behavior

Source: regsvr32.exe, 00000009.00000003.101951234755.00000000051D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101731450336.0000000005084000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953113164.0000000005239000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB9909BA70 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,ReadFileEx,SleepEx,GetLastError,

14_2_00007FFB9909BA70

Source: C:\Windows\System32\regsvr32.exe

14_2_00007FFB990119D0

Source: C:\Windows\System32\regsvr32.exe

Code function: 14_2_00007FFB98FFDD10 CallNtPowerInformation,GetLogicalProcessorInformationEx,GetLogicalProcessorInformationEx,TlsGetValue,TlsGetValue,TlsSetValue,TlsGetValue,TlsGetValue,ProcessPrng,TlsGetValue,TlsSetValue,TlsGetValue,TlsGetValue,TlsGetValue,TlsSetValue,TlsGetValue,TlsGetValue,TlsGetValue,TlsSetValue,TlsGetValue,memset,RtlGetVersion,

14_2_00007FFB98FFDD10

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: regsvr32.exe, 00000009.00000003.101750988707.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101957876341.000000000522F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101942743810.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101951234755.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101935437421.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101954673010.000000000509C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953465568.00000000050BA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101955689436.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101939285418.00000000050D5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101929916037.00000000050D5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procdump.exe

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	227 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	213 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 Network Share Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	641 Security Software Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	341 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	213 Process Injection	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
i9DKxTZoVd.exe	39%	ReversingLabs	Win32.Ransomware.Generic
i9DKxTZoVd.exe	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\is-8SV5O.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Swallow.dat (copy)	26%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\is-N7DV6.tmp	26%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.micrm/pki/certs/MicR_2010-06-23.crt0	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXzA	0%	Avira URL Cloud	safe
http://www.innosetup.com/	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgames2/)	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/g	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgames2/m	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/E	0%	Avira URL Cloud	safe
http://crl.microso	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgames2/	0%	Avira URL Cloud	safe
http://www.remobjects.com/ps	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/.	0%	Avira URL Cloud	safe
http://cacerts.digic	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/	0%	Avira URL Cloud	safe
https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/	0%	Avira URL Cloud	safe
http://www.innosetup.com/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
1hvnc.duckdns.org	88.99.161.62	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	i9DKxTZoVd.exe, 00000000.00000003.101663444971.0000000002500000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.exe, 00000000.00000003.101663862917.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.tmp, 00000001.00000000.101665254233.0000000000401000.00000020.00000001.01000000.00000004.sdmp, i9DKxTZoVd.tmp.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	regsvr32.exe, 00000009.00000003.101731450336.0000000005084000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953113164.0000000005239000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101732892581.0000000005084000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101733366336.0000000005098000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101953392054.0000000005255000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952282689.0000000005239000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102031668502.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101871816850.000000000545D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.101798259193.000002A4DE8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.101779809519.000002A4CFD3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101896209492.0000025DB1525000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA29A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101994038719.000001E26D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000C.00000002.101837470212.0000025DA256D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micrm/pki/certs/MicR_2010-06-23.crt0	powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tst-gameplayapi.intel.com/api/games/getagsgames2/)	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlXzA	powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.pngXzA	powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gameplayapi.intel.com/api/games/getagsgamesettings2/C	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	i9DKxTZoVd.tmp, 00000007.00000003.101705778461.0000000006000000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmp	false		high
https://gameplayapi.intel.com/api/games/getagsgamesettings2/	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/g	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tst-gameplayapi.intel.com/api/games/getagsgames2/m	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gameplayapi.intel.com/api/games/getagsgamesettings2/Y	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101908630743.0000025DB9CC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/E	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/PesterXzA	powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gameplayapi.intel.com/api/games/getagsgames2/r	regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microso	powershell.exe, 0000000F.00000002.102015220848.000001E27587D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.101779809519.000002A4CEA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA16DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D4CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gameplayapi.intel.com/api/games/getagsgamesettings2/#	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.101798259193.000002A4DE8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.101779809519.000002A4CFD3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101896209492.0000025DB1525000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA29A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101994038719.000001E26D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25E72F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlh	powershell.exe, 0000000C.00000002.101837470212.0000025DA2853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA2827000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	powershell.exe, 0000000A.00000002.101802236942.000002A4E6A5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gameplayapi.intel.com/api/games/downloadthumbnail/	regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tst-gameplayapi.intel.com/api/games/getagsgames2/	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.intel.com/support/gfx_feedbackx;	regsvr32.exe, 00000009.00000003.101734444126.0000000005319000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005319000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.000000000584B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 0000000A.00000002.101779809519.000002A4CE851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA14B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D2A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.remobjects.com/ps	i9DKxTZoVd.exe, 00000000.00000003.101663444971.0000000002500000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.exe, 00000000.00000003.101663862917.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, i9DKxTZoVd.tmp, 00000001.00000000.101665254233.0000000000401000.00000020.00000001.01000000.00000004.sdmp, i9DKxTZoVd.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://gameplayapi.intel.com/api/games/getagsgamesettings2/.	regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	powershell.exe, 0000000A.00000002.101802236942.000002A4E6A5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101905223523.0000025DB99C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.102005654098.000001E2753EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/.	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.intel.com/support/gfx_feedback	regsvr32.exe, 00000009.00000003.101952377109.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005554000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000A.00000002.101779809519.000002A4CE851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.101837470212.0000025DA14B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.101919557191.000001E25D2A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cacerts.digic	regsvr32.exe, 0000000E.00000003.101876266085.00000000053B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 0000000C.00000002.101837470212.0000025DA256D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/	regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gameplayapi.intel.com/api/games/getagsgames2/	regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/	regsvr32.exe, 00000009.00000003.101734444126.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101734444126.000000000527E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.000000000529F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.101952377109.0000000005286000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.101876830513.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005510000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.102033434819.0000000005518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.99.161.62	1hvnc.duckdns.org	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572121
Start date and time:	2024-12-10 06:58:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	i9DKxTZoVd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/24@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 90% Number of executed functions: 41 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target powershell.exe, PID 4292 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5652 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:00:22	API Interceptor	47x Sleep call for process: powershell.exe modified
01:00:59	API Interceptor	1169133x Sleep call for process: regsvr32.exe modified
07:00:29	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB} path: regsvr32 s>/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
88.99.161.62	SecuriteInfo.com.Win32.DropperX-gen.20947.10834.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	213.239.239.164
	2704IeeQyo.exe	Get hash	malicious	SmokeLoader	Browse	188.40.141.211
	e6reA52T4I.exe	Get hash	malicious	SmokeLoader	Browse	188.40.141.211
	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	178.63.102.185
	32%20VPN.exe	Get hash	malicious	AsyncRAT	Browse	136.243.179.5
	222.exe	Get hash	malicious	Njrat	Browse	136.243.179.5
	600%202024.exe	Get hash	malicious	PureLog Stealer	Browse	178.63.102.185
	xhost.vbs	Get hash	malicious	Unknown	Browse	136.243.179.5
	800.vbs	Get hash	malicious	Unknown	Browse	136.243.179.5

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp	SekpL8Z26C.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2c5j33a1.vbs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fbhz142.kbu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg21qxr0.gvo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbu5rg0o.mzv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krorliuz.ovv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1jp1i1k.bm4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn2xafun.1dm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrmt4fbf.meg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2sop4h4.s1y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl01hpbh.by3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpwr3wzs.obh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzs2efoc.gsb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

Download File

Process:	C:\Users\user\Desktop\i9DKxTZoVd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.3941502469827425
Encrypted:	false
SSDEEP:	24576:MYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XU:3GUhni7iSFCQGu
MD5:	14C6FA8E50B4147075EB922BD0C8B28D
SHA1:	0FAAD18B0E26CE3B5C364621A4F0AEE9DB56A9A7
SHA-256:	90C4A61AF494B63ECFE1226714175675A4E49E57D50718491B3BC8FE29DD8FC7
SHA-512:	E6C35BBCAA9A8BB306E58BB91AADF5FEED6B1AD1DF6EE0E68BF3BAE9B76D84C862B4EE9DD87A1D288FE1B7AAAAC13467964436A09EC529F67AF50905CD0EF876
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: SekpL8Z26C.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Download File

Process:	C:\Users\user\Desktop\i9DKxTZoVd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.3941502469827425
Encrypted:	false
SSDEEP:	24576:MYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XU:3GUhni7iSFCQGu
MD5:	14C6FA8E50B4147075EB922BD0C8B28D
SHA1:	0FAAD18B0E26CE3B5C364621A4F0AEE9DB56A9A7
SHA-256:	90C4A61AF494B63ECFE1226714175675A4E49E57D50718491B3BC8FE29DD8FC7
SHA-512:	E6C35BBCAA9A8BB306E58BB91AADF5FEED6B1AD1DF6EE0E68BF3BAE9B76D84C862B4EE9DD87A1D288FE1B7AAAAC13467964436A09EC529F67AF50905CD0EF876
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-TP7FD.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\is-8SV5O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183089
Entropy (8bit):	6.366383799611909
Encrypted:	false
SSDEEP:	24576:kYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XL:fGUhni7iSFCQGh
MD5:	240D43029FC0EEEA39338BB072979971
SHA1:	D0F08A4626007D5BC62906BDA2FB3CEBD2D0620C
SHA-256:	D7F6D81711E2B10E1FF719175ABB8CBB93641F48F68FE94D8B9F2677CC132F7E
SHA-512:	7B01B2A1C5B00C3A3D47CEC636CD6D0FC8FD2C632B398625F12A5F415BDF8FD358329792CD769A72FD9BB8980CAE584D025140D9EEC68720C5910E034DC0D08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	InnoSetup Log Cloudy Floor, version 0x418, 3671 bytes, 768287\37\user\37, C:\Users\user\AppData\Local\376\377\377\
Category:	dropped
Size (bytes):	3671
Entropy (8bit):	3.760013788257662
Encrypted:	false
SSDEEP:	96:eH44NWzpZn3jCdfc1AGlEDA4MZAe2LpYHhDH:mxYpZ32f7fDSmuHh
MD5:	371509775D6E7A92A5C309D9557CC80C
SHA1:	8F5D6B790568A6B3E643629488DAD3D191E7567E
SHA-256:	6DC75EB5D6C2A80D8553615ACA0CF5E0E9EB8A092FD9210A6790E8D0210E101F
SHA-512:	8C5FA5F89A2DE661C7909393F360BF967F418C26F4ED61A9C4F714097D780F7C6AA9E205F03AB12B512A3689AE15C6A4E433652F29C8580EBA287DBF912300E9
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Cloudy Floor....................................................................................................................Cloudy Floor............................................................................................................................W...%.................................................................................................................*.....t.............w........7.6.8.2.8.7......A.r.t.h.u.r......C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l....................b.. ..............IFPS...............................................................................................................................................................BOOLEAN..............TEXECWAIT.................!MAIN....-1..'...dll:kernel32.dll.GetCurrentProcess.......(...dll:kernel32.dll.TerminateProcess................ ...RESTARTINSTALLERWITHSILENTPARAMS....-1..EXPANDCONSTANT........EXEC.....

C:\Users\user\AppData\Local\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183089
Entropy (8bit):	6.366383799611909
Encrypted:	false
SSDEEP:	24576:kYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XL:fGUhni7iSFCQGh
MD5:	240D43029FC0EEEA39338BB072979971
SHA1:	D0F08A4626007D5BC62906BDA2FB3CEBD2D0620C
SHA-256:	D7F6D81711E2B10E1FF719175ABB8CBB93641F48F68FE94D8B9F2677CC132F7E
SHA-512:	7B01B2A1C5B00C3A3D47CEC636CD6D0FC8FD2C632B398625F12A5F415BDF8FD358329792CD769A72FD9BB8980CAE584D025140D9EEC68720C5910E034DC0D08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\Swallow.dat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1781248
Entropy (8bit):	6.995028051504293
Encrypted:	false
SSDEEP:	49152:AKX0xR9RtqCxPCFX1WoVFUjVM2mJVRQ7YiBp8Y+8Sc:ratqCxPCFX1vVeiRaBphoc
MD5:	9C2A3C72B19B3C65DF79E1262B840B52
SHA1:	D25DD891378F215104F493F4B2001F3902E17A3C
SHA-256:	E003A8AA982B96201768B48EDA1B375973C306D1CECECE73276F0267E11E2A1F
SHA-512:	7C28A68290B3C26354C3B7BCCA42B5BCBC81DFA01B3B699E47C68A3958E87DD3059FCC78099A60DDC901282980674900CDFCE7E5B80081873E9EB400182524A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...t<.D..........."...+........... ...............................................4.....`... ......................................0..q....@.../...........`............................................. V..(....................K..x............................text...X...........................`..`.data........ ......................@....rdata...(...0.....................@..@.pdata......`.......4..............@..@.xdata....... ......................@..@.bss......... ...........................edata..q....0......................@..@.idata.../...@...0..................@....CRT....`....p......................@....tls................................@....reloc..............................@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-N7DV6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1781248
Entropy (8bit):	6.995028051504293
Encrypted:	false
SSDEEP:	49152:AKX0xR9RtqCxPCFX1WoVFUjVM2mJVRQ7YiBp8Y+8Sc:ratqCxPCFX1vVeiRaBphoc
MD5:	9C2A3C72B19B3C65DF79E1262B840B52
SHA1:	D25DD891378F215104F493F4B2001F3902E17A3C
SHA-256:	E003A8AA982B96201768B48EDA1B375973C306D1CECECE73276F0267E11E2A1F
SHA-512:	7C28A68290B3C26354C3B7BCCA42B5BCBC81DFA01B3B699E47C68A3958E87DD3059FCC78099A60DDC901282980674900CDFCE7E5B80081873E9EB400182524A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...t<.D..........."...+........... ...............................................4.....`... ......................................0..q....@.../...........`............................................. V..(....................K..x............................text...X...........................`..`.data........ ......................@....rdata...(...0.....................@..@.pdata......`.......4..............@..@.xdata....... ......................@..@.bss......... ...........................edata..q....0......................@..@.idata.../...@...0..................@....CRT....`....p......................@....tls................................@....reloc..............................@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.935160477071088
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	i9DKxTZoVd.exe
File size:	1'336'796 bytes
MD5:	108b6783fb581f9f9ce33936379ee0cd
SHA1:	d929bf4e5fa60a1084314149628458d44d2c2a83
SHA256:	02adaac35a67006fb3424a7e8264fccac9b54e2791f333f16bae2f3245efb4d7
SHA512:	a9f98b0a96a7026bff4312b4c388f325f114329150070e450d52eae5b5341752f26cb9c2c5583b1cae236e8a9a6e4fa2389e675cd5113d133cdd6728c8aa76bf
SSDEEP:	24576:AMjh2jn9tQZvTIcWJpwwQmQ4HiVVL1ZKPgWRqadRRn0dxD:zOn9eZLJCpwlmQ4HyvOgWRqadRRnqxD
TLSH:	F5552242F7D30436F43659389C62C1546D73B97126E2945A2DFCEE0E0ABA1C2583EFB6
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4FC4B854 [Tue May 29 11:51:48 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007F26489A1651h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007F26489AFEFBh
call 00007F26489AFAA2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F26489A9724h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6E8h
call 00007F264899FC87h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6E8h]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007F26489AA00Fh
mov dword ptr [0041D6ECh], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F26489AFF83h
mov dword ptr [0041D6F4h], eax
mov eax, dword ptr [0041D6F4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F26489B12EAh
mov eax, dword ptr [0041D6F4h]
mov edx, 00000028h
call 00007F26489AA4D8h
mov edx, dword ptr [0041D6F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xb1d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	c9bb3afc1ceaaa31127ccfa204c657ef	False	0.5487316743827161	data	6.482216817915366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	1ba5adf2e1058c0460dcc814ba86fb32	False	0.6246744791666666	data	6.005798728198158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x574c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0xb1d8	0xb200	debddae1da37dfd6047daa43d23f03ea	False	0.17920470505617977	data	4.153832435967969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2141c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x21544	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0x21aac	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x21d94	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_STRING	0x2263c	0xc4	data			0.5969387755102041
RT_STRING	0x22700	0xcc	data			0.6225490196078431
RT_STRING	0x227cc	0x174	data			0.5510752688172043
RT_STRING	0x22940	0x39c	data			0.34523809523809523
RT_STRING	0x22cdc	0x34c	data			0.4218009478672986
RT_STRING	0x23028	0x294	data			0.4106060606060606
RT_RCDATA	0x232bc	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x2b5a4	0x10	data			1.5
RT_RCDATA	0x2b5b4	0x1a0	data			0.8149038461538461
RT_RCDATA	0x2b754	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x2b780	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x2b7c0	0x4b8	COM executable for DOS	English	United States	0.28642384105960267
RT_MANIFEST	0x2bc78	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T07:00:59.505222+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	88.99.161.62	56001	192.168.11.20	49761	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 07:00:58.573466063 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:58.792820930 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:58.793055058 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:58.795938969 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:59.015156984 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:59.015332937 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:59.239620924 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:59.239662886 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:59.239939928 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:59.246365070 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:00:59.505222082 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:59.552104950 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:00:59.602289915 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:01.133064032 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:01.392791986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:01.392987967 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:01.652374029 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.033536911 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.085694075 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.304677010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.313019037 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.572269917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.572396994 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.820804119 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.820939064 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.820950985 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821014881 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821024895 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821120024 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.821213007 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.821224928 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821234941 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821244955 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821393967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821398020 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821398973 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821398973 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:04.821413994 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.821553946 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:04.821568012 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.040457964 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040491104 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040518045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040539980 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040560961 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040581942 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040652990 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.040652990 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.040745020 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040766001 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.040767908 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040790081 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040824890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040852070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040873051 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040894985 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040915966 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.040975094 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041003942 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041007042 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041028023 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041049004 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041073084 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041090965 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041094065 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041116953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041169882 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041176081 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.041196108 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041196108 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041318893 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.041397095 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.259855986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.259886980 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.259912014 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.259934902 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260051966 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260143995 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260159016 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260166883 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260190010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260246992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260272980 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260293961 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260315895 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260338068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260353088 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260360003 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260384083 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260385036 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260412931 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260478020 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260555983 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260585070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260615110 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260637045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260659933 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260685921 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260710001 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260735989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260744095 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260757923 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260780096 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260799885 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260822058 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260831118 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260831118 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260843039 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260869026 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260900021 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260922909 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260940075 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.260946989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260970116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.260991096 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261013031 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261015892 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261049032 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261049032 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261159897 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261176109 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261176109 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261184931 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261207104 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261228085 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261250019 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261281967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261310101 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261331081 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261353016 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261369944 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261369944 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261374950 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.261406898 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261512041 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.261594057 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.479348898 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479621887 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479664087 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479703903 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479739904 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479770899 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479799986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479835033 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479867935 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.479867935 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.479883909 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479923010 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.479957104 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.479986906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480016947 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480022907 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480046034 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480076075 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480104923 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480134010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480163097 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480192900 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480191946 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480221987 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480237007 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480252028 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480282068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480310917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480319023 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480319023 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480339050 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480366945 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480370045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.480439901 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.480557919 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481206894 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481245041 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481287956 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481327057 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481355906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481384993 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481389046 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481442928 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481486082 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481511116 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481522083 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481569052 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481616020 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481648922 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481664896 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481693029 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481710911 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481760979 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481792927 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481811047 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481854916 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481901884 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.481945992 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.481951952 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482001066 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482045889 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482053041 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482081890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482086897 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482110977 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482140064 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482155085 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482155085 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482168913 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482198000 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482275009 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482279062 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482320070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482326984 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482355118 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482398033 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482426882 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482456923 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482460022 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482494116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482506037 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482528925 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482554913 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482563019 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482599974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482604027 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482642889 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482681990 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482711077 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482739925 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482745886 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482769012 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482816935 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482831955 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482871056 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482872009 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482903957 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482916117 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.482933044 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482963085 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482991934 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.482992887 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483031034 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483056068 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483067036 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483099937 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483120918 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483138084 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483182907 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483189106 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483212948 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483243942 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483292103 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483328104 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483331919 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483366966 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483402967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483432055 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483444929 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483463049 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483491898 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483494043 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483520985 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483550072 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483551979 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483580112 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483623981 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.483680964 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.483761072 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.699538946 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.699835062 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.699875116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.699906111 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.699935913 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.699965000 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700009108 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700045109 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700076103 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700081110 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700108051 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700128078 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700145006 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700181007 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700201988 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700218916 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700246096 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700267076 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700319052 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700370073 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700417995 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700455904 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700484991 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700484991 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700495005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700536966 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700581074 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700606108 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700628042 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700664997 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700692892 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700721979 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700750113 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700769901 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700778961 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700809002 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700814009 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700856924 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700895071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700910091 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700942039 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.700953960 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.700975895 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701004982 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701045036 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701051950 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701093912 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701124907 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701144934 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701153994 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701183081 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701212883 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701241970 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701240063 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701241016 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701277971 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701314926 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701351881 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701364040 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701380968 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701407909 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701411009 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701440096 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701468945 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701494932 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701503992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.701535940 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701605082 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.701683998 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703156948 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703203917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703255892 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703448057 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703464031 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703514099 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703555107 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703592062 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703627110 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703634977 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703677893 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703677893 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703726053 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703768969 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703799963 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703821898 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703830957 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703860044 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703866005 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703888893 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703926086 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703952074 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.703959942 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703993082 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.703994989 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704021931 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704062939 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704066992 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704102039 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704130888 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704159021 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704174042 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704188108 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704216957 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704237938 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704237938 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704246044 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704276085 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704304934 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704333067 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704334974 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704360962 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704390049 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704394102 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704418898 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704447985 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704449892 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704476118 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704504967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704519987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704534054 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704562902 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704569101 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704591990 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704619884 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704639912 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704649925 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704667091 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704679966 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704715967 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704716921 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704751968 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704765081 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704787016 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704817057 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704854965 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704863071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704906940 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704937935 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.704969883 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.704982042 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705018997 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705049038 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705049038 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705054998 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705091953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705126047 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705144882 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705161095 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705195904 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705215931 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705233097 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705277920 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705316067 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705319881 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705352068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705372095 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705384970 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705419064 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705436945 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705454111 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705482960 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705502987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705512047 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705549002 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705590010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705595970 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705620050 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705647945 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705677032 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705703974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705713987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705713987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705733061 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705760956 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705790043 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705807924 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705817938 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705847025 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705857038 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705874920 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705905914 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705905914 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705935001 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705962896 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.705984116 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705984116 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.705991983 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706021070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706049919 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706079006 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706080914 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706106901 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706130028 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706136942 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706171989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706181049 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706229925 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706257105 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706270933 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706300974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706324100 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706336975 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706382036 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706388950 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706414938 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706451893 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706475973 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:05.706476927 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706607103 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:05.706737995 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:06.241137028 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:06.456377029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:06.456604958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:06.457813978 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:06.672956944 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:06.673115015 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:06.888396025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:06.888964891 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.116972923 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.117023945 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.145076990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.254838943 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.332211971 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.332390070 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.332449913 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.332621098 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.406486034 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.406585932 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.470197916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.547682047 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.547904015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.547928095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.557054996 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.557164907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.621650934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.621777058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.621794939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.622067928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.704850912 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.704904079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.772317886 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.772650957 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.858903885 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.858927965 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.859004021 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.859169960 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:07.919976950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.919986010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.920250893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:07.920340061 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.004741907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.004765034 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.004842997 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.005007982 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.074882030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.155356884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.155379057 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.155462027 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.219798088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.219937086 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.220181942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.291728973 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.291829109 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.370446920 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.370532036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.370758057 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.370910883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.438554049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.438653946 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.506818056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.507272005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.592669964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.592775106 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.653904915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.654175997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.744760990 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.744862080 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.807774067 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.807782888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.808001041 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.896900892 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.897003889 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:08.960166931 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:08.961121082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.039048910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.039154053 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.111974001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.112066031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.112314939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.112354040 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.195103884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.195209026 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.254286051 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.254576921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.344424963 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.344531059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.411102057 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.492352962 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.492453098 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.559649944 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.559726954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.559830904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.559853077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.644507885 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.644612074 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.707525015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.707647085 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.707766056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.790642977 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.790750980 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.859692097 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.859982014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:09.946259975 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:09.946361065 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.005840063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.005866051 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.006088972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.088556051 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.088661909 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.161413908 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.161434889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.162549973 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.228421926 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.228524923 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.303667068 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.303883076 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.304054976 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.378814936 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.378916979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.443644047 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.443722963 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.443891048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.526042938 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.526113987 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.595309019 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.595320940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.595330000 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.675175905 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.675271034 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.741177082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.741244078 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.741503000 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.823868036 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.823967934 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.890654087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.891635895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:10.980545998 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:10.980644941 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.038923025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.039000988 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.039194107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.039433956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.125286102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.125413895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.196197987 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.197117090 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.300108910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.300261021 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.340616941 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.341553926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.442775965 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.442876101 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.515300035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.516339064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.591821909 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.591898918 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.658811092 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.726813078 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.726881981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.807086945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.808126926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:11.875406027 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.875505924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:11.942771912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.027793884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.027896881 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.091129065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.159004927 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.159105062 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.247279882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.334172964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.334280014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.374238014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.375253916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.478565931 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.478667974 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.549891949 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.627621889 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.627727032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.694319963 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.782830954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.782933950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.843632936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:12.929353952 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.929430962 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:12.998821020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.078447104 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.078515053 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.144613981 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.229485035 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.229590893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.294121981 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.378336906 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.378438950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.445436954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.528386116 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.528479099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.599132061 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.599407911 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.663301945 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.663407087 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.744110107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.812397957 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.812499046 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.878696918 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.879664898 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:13.963680029 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:13.963784933 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.028088093 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.113468885 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.113571882 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.179292917 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.261256933 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.261328936 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.328599930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.329575062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.415138006 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.415266037 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.476455927 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.476466894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.476588964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.561032057 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.561223984 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.630445004 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.630472898 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.630542040 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.630896091 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.696878910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.696996927 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.776664972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.777637959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.851949930 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.852054119 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:14.912529945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.912542105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.912643909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:14.998064995 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.067400932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.067414045 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.132370949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.132534027 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.213469028 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.213511944 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.213540077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.278620005 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.278714895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.348104954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.348150015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.348176956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.404946089 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.418648958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.418821096 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.458234072 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.494179964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.494477034 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.494518995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.563487053 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.563575029 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.634118080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.634293079 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.634325027 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.634644985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.677743912 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.678935051 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.712625980 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.712795019 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.779010057 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.779295921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.864417076 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:15.928109884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.928203106 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.928212881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.928570986 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.938344002 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:15.938608885 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.012510061 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.079632998 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.079644918 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.079652071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.149974108 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.150135994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176166058 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176290989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176393986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176461935 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176582098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176594973 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176604986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176615953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176625967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176635027 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176645041 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176655054 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176665068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176673889 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176682949 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176695108 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176704884 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176713943 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176724911 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176753998 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176753998 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176799059 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176803112 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176803112 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176804066 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176806927 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176806927 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176819086 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176829100 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176837921 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176847935 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176855087 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176860094 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176870108 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176879883 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176903963 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176954031 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176954031 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.176966906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176970005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176970005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176970959 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176970959 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.176971912 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177063942 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177063942 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177113056 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177113056 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177148104 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177159071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177170038 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177180052 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177187920 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177197933 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177207947 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177217960 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177227974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177237034 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177247047 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177257061 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177265882 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177270889 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177270889 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177282095 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177292109 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177300930 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177314043 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177319050 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177319050 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177328110 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177337885 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177347898 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177357912 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177367926 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177377939 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177387953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177397013 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177406073 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177417040 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177417994 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177417994 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177431107 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177439928 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177450895 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177459002 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177467108 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177473068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177481890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177491903 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177500963 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177510023 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177515030 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177522898 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177532911 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177541971 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177551985 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177561045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177565098 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177565098 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177565098 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177565098 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177578926 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177588940 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177597046 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177607059 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177613020 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177613020 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177620888 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177630901 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177639961 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177649975 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177659035 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177663088 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177663088 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177674055 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177685022 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177695036 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177704096 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177711010 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177711010 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177719116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177727938 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177736998 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177747011 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177756071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177759886 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177759886 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177771091 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177781105 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177791119 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177799940 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177810907 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177819967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177829027 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177839041 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177848101 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177859068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177860022 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177860022 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177872896 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177881956 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177891970 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177901030 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177911997 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177921057 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177957058 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177957058 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.177978992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177989006 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.177998066 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178004980 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178011894 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178020954 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178054094 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178102970 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178139925 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178142071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178143024 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178143024 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178143978 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178153038 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178250074 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178298950 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178306103 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178307056 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178307056 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178308010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178308010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178308010 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178308964 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178308964 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178309917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178311110 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178311110 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178312063 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178348064 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178397894 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178397894 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178446054 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178464890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178464890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178466082 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178466082 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178467035 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178467989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178467989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178468943 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178494930 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178597927 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178630114 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178632021 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178632021 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178632021 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178632975 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178632975 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178633928 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178634882 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178644896 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178714037 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178762913 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178798914 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178800106 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178801060 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178801060 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178802013 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178802013 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178802967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178802967 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178803921 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178803921 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178805113 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178805113 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178806067 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178806067 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178807020 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178807020 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178807974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178807974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178808928 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178817987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178817987 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178867102 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178963900 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178963900 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.178967953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178968906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178970098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178970098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178970098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178971052 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178971052 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178972006 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178973913 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178975105 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178976059 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178976059 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178977013 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178977013 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.178977966 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179013014 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179061890 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179111958 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179111958 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179111958 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179133892 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179135084 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179135084 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179136038 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179136038 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179136992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179136992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179137945 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179137945 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179138899 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179140091 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179140091 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179140091 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179141045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179141045 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179141998 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179141998 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179142952 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179142952 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179143906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179143906 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179145098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179145098 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179160118 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179209948 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179209948 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179209948 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179258108 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179299116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179299116 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179300070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179300070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.179307938 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179307938 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179357052 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179357052 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179405928 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179455042 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179508924 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179508924 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179555893 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179555893 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179603100 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179603100 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179603100 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179603100 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179651022 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.179702997 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.223611116 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.227660894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.227946043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.297727108 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.297831059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.365345955 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.365569115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.395780087 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396039009 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396120071 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396132946 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396229982 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396290064 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396317005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396328926 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396338940 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396430016 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396442890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396452904 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396456003 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396470070 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396480083 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396488905 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396498919 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396508932 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396517992 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396528006 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396538019 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396547079 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396559000 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396559954 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396572113 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396581888 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396590948 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396605968 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396687031 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396687031 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396687984 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396687984 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396706104 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396764040 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396775007 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396779060 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396790028 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396800041 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396809101 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396819115 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396828890 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396838903 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.396919012 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396933079 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396933079 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.396933079 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397345066 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397356033 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397366047 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397376060 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397469044 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397469044 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397628069 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397638083 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397648096 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397656918 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397666931 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397675991 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397686005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397696018 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397705078 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397715092 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397723913 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397733927 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397742987 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397753954 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397763014 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397768021 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397778034 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397788048 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397797108 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397806883 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397814989 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397814989 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397820950 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397831917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397840977 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397850990 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397861004 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397864103 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397864103 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397876024 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397886038 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397896051 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397905111 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397916079 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.397964001 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397964001 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.397964001 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398011923 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398011923 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398046017 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398056984 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398061037 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398061037 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398072958 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398082018 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398092031 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398111105 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398209095 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398288012 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398335934 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398346901 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398355961 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398365974 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398521900 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398629904 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398639917 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398649931 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398658991 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398669004 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398678064 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398686886 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398696899 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398706913 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398715973 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398725986 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398735046 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398745060 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398755074 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398763895 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398768902 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398778915 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398788929 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398797989 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398808002 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398817062 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398827076 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398835897 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398845911 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398848057 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398848057 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398859978 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398869991 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398880005 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398889065 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398895025 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398901939 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398911953 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.398993969 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.398993969 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399076939 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399076939 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399076939 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399113894 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399125099 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399135113 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399141073 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399148941 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399158955 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399168968 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399177074 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.399280071 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399280071 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.399354935 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.458370924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.458468914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.512895107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.512906075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.513174057 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.596487045 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.596546888 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.673727036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.673955917 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.673998117 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.674026966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.753947020 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.754091978 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.811799049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.812012911 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.812261105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.841794014 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.903126001 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:16.969625950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:16.969706059 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.049053907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.049169064 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.058325052 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.058567047 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.059684038 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.118750095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.118796110 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.119132996 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.198544979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.198705912 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.264668941 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.264878988 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.264921904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.275816917 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.276087046 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.331444025 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.331532001 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.414141893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.414307117 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.414340019 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.487538099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.487713099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.492717981 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.493407965 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.547017097 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.547063112 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.547193050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.629013062 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.629118919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.703263044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.703310966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.703373909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.750408888 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.750634909 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.782630920 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.782804012 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.844799995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.844846964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.844875097 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.934886932 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.934978962 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:17.998110056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.998367071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:17.998409986 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.007127047 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.065087080 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.065260887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.150628090 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.151015997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.216305017 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.216398954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.280776978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.280932903 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.280961990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.350769043 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.350883961 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.432334900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.432379961 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.502418995 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.502587080 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.566422939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.566477060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.566507101 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.654279947 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.654412031 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.718144894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.718190908 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.718256950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.800062895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.800153971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.869818926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.869868994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.869899035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.870275974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:18.952763081 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:18.952857018 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.016635895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.100040913 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.100205898 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.168229103 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.168517113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.250286102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.250380039 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.315669060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.315716982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.315745115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.399252892 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.399377108 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.465856075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.466069937 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.466113091 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.553803921 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.553982973 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.614981890 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.615030050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.699531078 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.699656963 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.769512892 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.769558907 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.769759893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.835419893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.835597038 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.915033102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.915370941 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:19.991050959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:19.991091013 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.050720930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.050825119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.051271915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.133439064 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.206505060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.206552982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.206581116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.268716097 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.268836021 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.348893881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.348938942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.348968029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.417237043 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.417326927 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.484168053 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.484467030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.484755039 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.555512905 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.555684090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.632961035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.633008957 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.633035898 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.702903986 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.702997923 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.771187067 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.771233082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:20.850866079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.850961924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:20.918864965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.005959988 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.066052914 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.066168070 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.153388977 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.153573036 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.221345901 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.221395016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.221431971 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.289283991 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.289387941 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.369013071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.369060993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.369287968 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.437006950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.437180042 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.504823923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.505034924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.584403992 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.609867096 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.609957933 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.652532101 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.652748108 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.652790070 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.750118971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.750150919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.825818062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.826698065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.844281912 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:21.844510078 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.902736902 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.902833939 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:21.966228008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.037985086 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.038033962 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.038078070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.038269997 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.080550909 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.118573904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.128637075 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.188560009 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.188666105 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.253309965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.253354073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.253722906 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.342097998 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.342243910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.347927094 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.357913971 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.404146910 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.404165030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.485614061 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.557611942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.557763100 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.557774067 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.558053970 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.618107080 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.618499041 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.642884016 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.642936945 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.700925112 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.700941086 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.700949907 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.789592028 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.789635897 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.789684057 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.789879084 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:22.858472109 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.878024101 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:22.937171936 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.004987955 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.005249023 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.089967012 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.152659893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.152677059 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.221836090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.222017050 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.305268049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.305289984 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.374252081 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.374315023 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.437324047 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.437369108 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.437619925 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.520860910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.589579105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.589590073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.674511909 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.674556017 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.736094952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.736288071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.820420027 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.889868021 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:23.955471992 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:23.955547094 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.035821915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.108437061 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.170787096 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.170804977 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.170986891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.254354954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.254417896 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.323740959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.323760033 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.323769093 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.406239033 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.470005989 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.555035114 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.621471882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.621486902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.621496916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.711994886 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.712110996 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.770437956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.770478010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.770504951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.855158091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.927438021 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.927725077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.927733898 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:24.990741014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:24.990848064 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.070384026 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.070409060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.070417881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.144876003 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.205971003 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.205993891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.206187010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.290766954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.290875912 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.360474110 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.423652887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.423701048 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.506241083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.506258965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.572312117 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.572427988 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.639023066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.639313936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.709675074 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.787585020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.787877083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.859675884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.859822989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:25.924913883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:25.925208092 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.005763054 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.005860090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.076653004 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.076664925 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.076673985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.155850887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.155905008 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.221076965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.221267939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.307615995 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.307780027 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.371113062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.446003914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.446053982 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.522964001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.523133993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.590147018 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.590313911 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.661412954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.661456108 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.661484003 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.763659954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.763767958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.805418015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.805699110 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.910424948 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.910514116 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:26.979135990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:26.979384899 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.057368994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.057463884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.125948906 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.126188993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.126353025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.196738958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.196845055 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.273363113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.342619896 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.342794895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.412319899 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.412384033 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.494941950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.495033026 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.558192968 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.558474064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.625228882 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.625345945 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.710498095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.710733891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.711015940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.777503014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.777683020 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.841023922 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.841099977 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.841129065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.926866055 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.926963091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:27.993343115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.993387938 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:27.993417025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.077058077 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.077181101 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.142376900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.142657995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.142702103 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.142919064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.228022099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.228144884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.292442083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.292680979 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.292927027 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.359041929 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.359143972 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.443350077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.443721056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.509967089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.510065079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.574341059 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.574352026 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.640058041 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.725167990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.725183964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.725217104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.801000118 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.801156044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:28.855436087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.855448008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:28.944112062 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.016474009 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.016522884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.016551018 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.092277050 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.092384100 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.159481049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.159507990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.159518003 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.245474100 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.307770967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.307823896 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.307851076 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.375926971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.376086950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.461024046 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.461185932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.531140089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.531246901 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.591342926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.591764927 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.676891088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.677006006 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.746831894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.746902943 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.746932030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.829719067 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.829826117 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.892360926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.892437935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.892465115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:29.983932972 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:29.984107971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.045322895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.045427084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.045938015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.129528999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.129571915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.199409962 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.199769020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.279416084 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.279567003 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.345743895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.427292109 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.427382946 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.494865894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.494908094 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.580636024 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.580816031 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.642853975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.643017054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.643029928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.643265009 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.727617025 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.727674007 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.796643972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.865139961 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.865314007 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:30.943200111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:30.943243980 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.016204119 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.016299963 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.080854893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.080902100 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.081151962 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.165371895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.165543079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.231673956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.231863976 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.315252066 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.315359116 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.380713940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.380903006 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.381155014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.463816881 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.530621052 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.530664921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.622199059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.622363091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.679935932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.786411047 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.786571026 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.837779999 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.837940931 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.837973118 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:31.933145046 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:31.933305979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.002149105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.002192974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.002259016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.002491951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.082067966 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.082233906 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.148952007 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.235717058 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.235761881 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.297684908 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.297728062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.297949076 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.382955074 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.383127928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.451050997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.451092958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.533092022 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.533158064 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.598450899 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.598700047 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.680689096 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.680852890 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.748815060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.748859882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.748888016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.813878059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.896332979 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.896467924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.896553993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.896581888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:32.966175079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:32.966295958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.029165983 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.029253006 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.115905046 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.115971088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.181607962 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.181900978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.182091951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.267159939 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.267343044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.331204891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.331675053 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.331732035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.416677952 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.416765928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.482537031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.482919931 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.483066082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.566600084 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.566772938 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.632119894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.632477999 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.632517099 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.717338085 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.717417002 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.781903982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.782296896 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.867670059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.867820978 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.932830095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.932862043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:33.933063030 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:33.933088064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.013794899 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.013962030 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.083754063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.163074970 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.163180113 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.189059973 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.229275942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.229319096 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.229363918 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.229415894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.301352024 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.301469088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.378473997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.378777027 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.379024029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.453583956 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.517057896 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.517559052 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.600593090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.600709915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.669233084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.750802994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.750972033 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.816252947 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.816270113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:34.899056911 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.899158955 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:34.966882944 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.033221960 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.114460945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.114506960 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.114535093 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.181927919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.182089090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.248997927 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.249313116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.353404999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.353477001 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.397598028 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.397639036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.397938967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.483064890 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.483242989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.568773985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.569207907 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.632193089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.632265091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.685339928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.698879957 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.699057102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.766978025 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.767046928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.847682953 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.847724915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.847779036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.919517994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.919615984 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:35.982491970 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.982671022 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.982701063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:35.982719898 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.070755959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.070842981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.135006905 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.135080099 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.217221975 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.217390060 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.286246061 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.286314011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.286575079 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.388322115 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.388422966 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.432749987 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.432792902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.433135033 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.534051895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.534168959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.603936911 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.604161978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.687220097 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.687386036 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.749669075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.749708891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.749737978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.750089884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.835730076 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.902750969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.902822971 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.903033972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:36.971103907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:36.971256971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.051209927 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.051414013 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.130459070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.130553961 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.187586069 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.187625885 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.267909050 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.268095016 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.345921993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.346230030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.346287012 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.425972939 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.426054955 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.483474970 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.483527899 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.483838081 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.516664982 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.568280935 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.568449020 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.641483068 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.641746044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.641786098 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.702538967 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.702644110 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.773236990 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.773457050 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.784667015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.853193045 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.918133974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.918282986 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:37.991002083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:37.991161108 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.029755116 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.068690062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.068734884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.068767071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.068793058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.136677980 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.136794090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.206471920 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.206547976 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.206818104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.287187099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.287358999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.352288961 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.352330923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.352552891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.465774059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.465842009 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.502741098 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.503106117 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.503153086 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.620002031 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.620198965 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.681209087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.681679010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.681781054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.681807995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.791502953 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.791570902 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.835342884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.835510969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.835762978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:38.939410925 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:38.939472914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.006917953 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.007110119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.084498882 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.084604979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.154870987 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.154915094 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.155209064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.224701881 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.224870920 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.300239086 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.300283909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.300311089 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.371381044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.371495008 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.440479994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.440526009 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.440552950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.522311926 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.587059975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.587130070 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.655781031 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.655936956 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.737876892 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.738147974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.813719034 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.813879967 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:39.871239901 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.871584892 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.871623993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:39.955097914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.029092073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.029138088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.029284000 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.029597998 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.103413105 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.170711994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.170756102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.170785904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.171081066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.255853891 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.255961895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.319148064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.319195032 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.319221973 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.319447994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.388557911 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.388726950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.471314907 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.471589088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.471875906 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.539876938 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.539989948 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.604134083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.604357958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.604422092 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.670803070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.670978069 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.755614042 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.755673885 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.825402021 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.887655973 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:40.974371910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:40.974538088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.040719032 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.040760994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.040868044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.121033907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.121140003 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.190054893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.190100908 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.190129995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.190340996 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.190393925 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.274890900 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.275055885 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.337472916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.337517023 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.337759972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.425753117 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.425859928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.490546942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.490711927 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.490742922 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.574512005 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.574675083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.641266108 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.641588926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.724978924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.790179968 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.790273905 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.790533066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.893852949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.894004107 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:41.940541029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.940751076 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:41.940880060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.038744926 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.109740973 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.109786987 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.172580004 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.172699928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.254328966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.254371881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.254601955 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.323338985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.323405981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.388040066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.388184071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.388195038 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.473042011 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.473217010 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.538813114 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.546005011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.607531071 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.688611031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.688676119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.688704967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.756684065 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.822902918 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.822916031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.823046923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.912671089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.912837029 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:42.972328901 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:42.972409010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.056236982 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.056345940 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.128180027 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.128360987 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.128391027 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.128669977 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.209109068 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.209284067 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.272052050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.272099972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.345057964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.424751997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.424797058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.424824953 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.492399931 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.492562056 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.563718081 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.563726902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.563734055 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.592878103 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.627599001 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.627706051 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.707951069 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.708060026 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.708092928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.708367109 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.785505056 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.785624981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.843394995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.843406916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.853399038 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:43.853801966 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.952630043 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:43.952805042 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.001317024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.001363039 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.001390934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.001418114 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.073435068 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.092751980 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.092822075 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.123730898 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.168132067 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.168245077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.168425083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.241211891 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.241385937 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.279444933 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.308233023 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.308291912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.308566093 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.326792955 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.343080044 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.344310045 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.379261971 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.379340887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.456557035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.456876993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.524163008 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.524245977 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.542860031 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.592363119 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.594717979 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.595027924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.604027987 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.604204893 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.679904938 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.680075884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.739628077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.739777088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.739809990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.740139008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.824847937 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.824949980 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.863512993 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.895296097 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.895670891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.895911932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.895924091 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:44.983081102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:44.983189106 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.040005922 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.040129900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.040386915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.040400028 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.126538992 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.126699924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.204065084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.204077959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.276865005 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.277034044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.341722965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.341744900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.341959953 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.341973066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.429249048 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.429351091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.492023945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.492255926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.492430925 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.559042931 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.559148073 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.644484043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.644938946 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.714591026 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.714694023 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.774154902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.774252892 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.774544001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.774792910 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.862541914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.862571955 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:45.929757118 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.929771900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.929905891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:45.930151939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.019835949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.019957066 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.077774048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.077904940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.159697056 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.235219002 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.235235929 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.235266924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.300394058 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.300492048 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.375044107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.375061035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.450594902 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.450639963 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.515568972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.515590906 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.515868902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.515882969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.594099998 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.594242096 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.665947914 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.665963888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.745626926 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.745718002 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.809453964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.809860945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.897206068 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.897322893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:46.960942030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.960958958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.960968018 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:46.961265087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.048676968 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.048778057 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.112561941 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.112597942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.112620115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.194964886 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.195075035 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.264067888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.264113903 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.264139891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.347403049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.347568989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.410602093 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.410680056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.496225119 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.496318102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.562951088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.563121080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.563153028 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.648646116 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.648828030 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.711767912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.711935997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.711967945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.798674107 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.798739910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.864011049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.864238024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.864267111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:47.948849916 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:47.949029922 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.014023066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.014256001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.014285088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.014519930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.097821951 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.097882032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.164294958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.164505005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.164532900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.245708942 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.245865107 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.313178062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.313208103 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.313452005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.397258997 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.397327900 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.461190939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.461249113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.461277008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.530277014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.530436993 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.612648964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.612694025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.612819910 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.612870932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.681699038 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.745759964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.746076107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.828931093 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.897202969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.897237062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.897478104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.897692919 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:48.984549999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:48.984644890 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.044087887 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.044508934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.044519901 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.134155989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.199873924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.199886084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.277710915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.349701881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.349713087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.434736967 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.434782028 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.493402004 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.581446886 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.650134087 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.650181055 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.713257074 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.713433981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.797117949 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.797163010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.865195036 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.928936958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.928950071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:49.999244928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:49.999365091 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.080589056 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.080631971 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.151158094 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.214867115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.215141058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.297967911 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.366782904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.366930962 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.450658083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.450769901 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.513649940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.513711929 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.601243019 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.601353884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.666137934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.666302919 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.666352034 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.752465010 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.752654076 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.817004919 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.817017078 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.817023039 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.901510954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:50.967914104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.968086004 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:50.968496084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.060055017 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.060148001 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.116740942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.116753101 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.116857052 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.204335928 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.275336981 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.275346994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.275352955 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.275651932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.349558115 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.349683046 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.419714928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.419728041 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.419734001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.419739962 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.484848976 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.484967947 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.564876080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.564888954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.564918995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.565397024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.634409904 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.634481907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.700088978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.700100899 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.700335026 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.783191919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.849689960 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.849889040 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.936218977 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.936372042 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:51.998764992 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.998775959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:51.998945951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.083316088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.151527882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.151591063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.151947975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.217333078 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.217452049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.298825026 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.298868895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.365809917 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.432826042 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.433074951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.433312893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.506905079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.507018089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.581444025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.581743002 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.649480104 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.649652958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.722433090 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.722498894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.722860098 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.782783985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.782849073 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.864830017 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.865181923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.865211010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.916759014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.916816950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:52.998097897 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.998430967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:52.998477936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.068052053 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.068231106 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.132183075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.132360935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.223146915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.223253012 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.283508062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.283559084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.283579111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.283938885 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.373074055 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.373136044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.438585043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.438647032 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.438676119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.520579100 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.520741940 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.588598967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.588643074 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.588670015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.588912964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.677778959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.677853107 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.736144066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.736268997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.736502886 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.821152925 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.821268082 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.893294096 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.893399954 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.893902063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:53.953023911 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:53.953110933 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.036737919 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.036801100 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.036832094 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.101181030 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.101286888 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.168420076 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.168463945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.168489933 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.256978989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.257138968 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.316725016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.316860914 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.387089014 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.387171030 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.472620964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.472692966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.472722054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.518760920 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.518929005 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.602560997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.602727890 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.602758884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.654551983 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.654637098 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.734266043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.734599113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.801780939 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.801950932 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.869884968 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.870146990 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.870332003 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:54.942635059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:54.942739010 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.017047882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.017501116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.017637014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.085478067 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.085586071 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.158353090 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.158376932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.218689919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.218795061 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.300776005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.300849915 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.300878048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.301245928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.372080088 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.372191906 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.434377909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.434428930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.434457064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.434704065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.504638910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.504807949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.587744951 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.587785959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.588073969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.653331041 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.720115900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.720191002 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.720220089 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.720779896 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.789088011 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.789202929 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.868886948 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.868962049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.868989944 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.869731903 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:55.922055006 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:55.922224045 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.004838943 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.004883051 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.071582079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.137759924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.137801886 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.137828112 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.138106108 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.207072973 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.207207918 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.287280083 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.287324905 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.287350893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.356798887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.422643900 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.422884941 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.486666918 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.486823082 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.572424889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.572669983 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.623120070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.702372074 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.702415943 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.702444077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.755407095 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.755512953 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.838695049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.839001894 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.888133049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.888228893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:56.971074104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.971121073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:56.971251011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.023644924 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.103656054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.103894949 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.104139090 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.154189110 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.154306889 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.239356041 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.239401102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.288717985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.369746923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.370074034 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.426934958 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.427104950 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.504407883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.504443884 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.504667044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.527189970 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.572119951 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.642364979 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.642657995 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.706610918 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.706772089 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.783521891 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.783688068 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.791727066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.791768074 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.845200062 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.922157049 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.922316074 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.922355890 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:57.981497049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:57.981662989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.040266991 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.060478926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.060519934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.060759068 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.060798883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.110651970 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.110735893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.196994066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.197072029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.197103024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.197465897 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.238756895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.238924026 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.326303005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.326390982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.326419115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.389219999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.389324903 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.454724073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.523030996 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.523221970 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.604832888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.604877949 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.604923964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.658118010 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.658200979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.738711119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.738775015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.739015102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.792032003 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.792203903 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:58.873630047 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.873652935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.873780966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:58.926059961 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.007519960 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.007775068 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.008013010 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.060647011 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.141629934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.141674042 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.189938068 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.190089941 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.276166916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.276447058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.307408094 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.307473898 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.405499935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.405946970 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.442190886 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.442318916 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.522999048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.523072958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.559568882 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.559680939 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.657773018 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.657845974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.658221006 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.691385984 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.691518068 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.775053024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.775346041 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.775384903 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.808484077 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.808526993 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.907069921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.907080889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:01:59.944005966 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:01:59.944073915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.023808002 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.023818016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.023969889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.060127020 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.159707069 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.194709063 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.194833994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.275464058 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.275475979 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.275482893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.310695887 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.310743093 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.410000086 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.410072088 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.410100937 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.448134899 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.448288918 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.525928974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.526062965 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.576471090 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.663697958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.663738966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.663800001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.709059954 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.709249973 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.792027950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.792190075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.826613903 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.826711893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.924559116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.924571037 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.924705029 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.924721956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:00.958146095 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:00.958249092 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.041918993 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.042027950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.042057991 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.042414904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.078731060 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.078906059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.173855066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.173897028 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.173923969 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.211642981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.211811066 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.298683882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.298727036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.325387955 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.427270889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.427340031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.427370071 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.461880922 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.462001085 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.541189909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.541235924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.541261911 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.577430964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.677357912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.677771091 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.710385084 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.710514069 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.793129921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.793173075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.793199062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.827708006 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:01.925901890 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.925925016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.926069021 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:01.959495068 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.042978048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.042989016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.043344021 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.078303099 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.174870014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.174913883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.175009012 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.214155912 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.293822050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.347388983 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.347547054 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.429693937 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.430023909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.483700037 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.483864069 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.562916040 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.562990904 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.563124895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.614444017 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.614613056 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.699230909 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.699326992 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.699470043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.727103949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.830132008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.830143929 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.830151081 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.830326080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.847791910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.942545891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.942990065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:02.984028101 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:02.984189987 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.063225031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.063236952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.063242912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.063249111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.109998941 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.110200882 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.199301958 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.199425936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.199525118 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.228498936 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.325392008 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.325402975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.325563908 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.344358921 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.344557047 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.443815947 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.443928957 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.443938017 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.461087942 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.559664011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.559679985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.559958935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.560065985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.581063032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.676486015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.676497936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.676505089 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.694528103 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.796263933 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.796278000 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.796288013 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.796535015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.816055059 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.816201925 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.909787893 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.909815073 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.910032988 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.910059929 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:03.949208021 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:03.949374914 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.031438112 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.031470060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.031658888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.062913895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.063086987 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.164621115 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.164732933 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.198219061 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.198379993 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.278182030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.278635025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.313468933 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.313621998 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.413568020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.413777113 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.445389032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.445571899 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.528824091 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.528867006 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.529198885 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.569605112 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.569772959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.660841942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.661289930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.686012030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.698863983 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.699033976 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.785109043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.785403967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.811881065 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:04.914388895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.914484978 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.914494038 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:04.944935083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.027247906 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.027259111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.027409077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.065679073 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.160234928 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.160245895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.160810947 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.179564953 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.281110048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.281121016 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.281135082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.281141043 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.298305035 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.298451900 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.394889116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.395030022 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.395039082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.414679050 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.513598919 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.513741970 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.513753891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.532541990 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.532732964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.603686094 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.630119085 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.630131006 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.630253077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.648631096 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.747915030 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.747925997 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.748168945 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.767272949 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.767427921 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.862150908 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.862416029 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.863780022 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.863902092 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.881514072 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.881685972 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:05.982404947 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.982567072 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.982687950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:05.982938051 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.003012896 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.003187895 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.081867933 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.096805096 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.097142935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.097246885 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.097254992 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.130861044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.131045103 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.134546995 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.218250036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.218478918 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.255048990 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.255235910 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.345994949 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.346111059 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.346419096 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.353600979 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.354711056 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.381828070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.470170021 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.470325947 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.470555067 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.470802069 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.498009920 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.498167038 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.597062111 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.597167015 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.597356081 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.597620964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.613715887 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.613867998 CET	49761	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.615817070 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.616002083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.713133097 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.713222980 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.713349104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.713603020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.734612942 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.734800100 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.830921888 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.831191063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.831295967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.850680113 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.850867033 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.873488903 CET	56001	49761	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.949830055 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.949943066 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.950108051 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.950356960 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:06.987014055 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:06.987087011 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.066477060 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.066485882 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.066492081 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.066498041 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.100323915 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.100497961 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.202178955 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.217725992 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.217895985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.315660000 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.315675020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.315681934 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.334657907 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.334789991 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.433156967 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.433170080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.433334112 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.433442116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.452054024 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.549902916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.549917936 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.549994946 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.550220966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.568001032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.667294025 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.667428017 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.667618036 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.669141054 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.669297934 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.782555103 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.783318996 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.783339024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.882030964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.882141113 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:07.884429932 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.884701014 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.998136044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:07.998147011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.001307011 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.097259045 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.097450972 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.097460032 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.116076946 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.216545105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.216555119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.233967066 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.234124899 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.331552982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.331566095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.331573009 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.353121042 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.449389935 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.449400902 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.449512959 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.468919992 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.469046116 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.568346977 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.568541050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.583242893 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.583415985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.684073925 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.684217930 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.688168049 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.688311100 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.798495054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.798640013 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.798741102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.801529884 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.801707029 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.899864912 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.899960995 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:08.903456926 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:08.903625011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.016691923 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.017220974 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.038158894 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.115251064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.115353107 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.132745028 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.236350060 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.253649950 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.253663063 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.347964048 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.348162889 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.348172903 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.354165077 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.451781988 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.451795101 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.469022989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.569591045 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.569636106 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.583686113 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.583805084 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.684500933 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.684545994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.684607983 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.687813044 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.687980890 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.799274921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.799689054 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.805798054 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.805922985 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.901006937 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:09.903376102 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.903386116 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:09.903548956 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.017424107 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.021317005 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.021511078 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.116411924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.116425037 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.116431952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.121709108 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.232758045 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.232857943 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.236916065 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.334264994 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.334410906 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.337110996 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.337124109 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.438802004 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.452255964 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.452269077 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.549705982 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.549827099 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.549918890 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.555727959 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.555871964 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.649270058 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.649420023 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.654247999 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.654259920 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.756171942 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.771199942 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.771213055 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.771512985 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.771523952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.849987984 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.864701986 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.864799023 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:10.952009916 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.952130079 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:10.971663952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.065527916 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.065572023 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.071940899 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.072154999 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.167572975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.167772055 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.167812109 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.168045998 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.172890902 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.173058987 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.287444115 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.287516117 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.287631989 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.287662029 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.294460058 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.336524963 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.388231039 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.388442039 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.388454914 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.388611078 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.388704062 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.502966881 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.502985001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.503196001 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.506593943 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.506700993 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.552675009 CET	56001	49763	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.602060080 CET	49763	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.603781939 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.603817940 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.603980064 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.604799032 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.604831934 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.706646919 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.706815004 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.721812963 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.721955061 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.820091963 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.820126057 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.820137024 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.820161104 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:11.820197105 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.921926975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.922141075 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.922151089 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:11.922645092 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.035489082 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.035501957 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.035507917 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.036554098 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.137151957 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.137912035 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.137921095 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.237695932 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.237801075 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.251944065 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.251955986 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.251961946 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.338509083 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.338536024 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.338623047 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.338783979 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.352361917 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.352509022 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.352603912 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.440685034 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.453155994 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.453243971 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.540316105 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.553911924 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.553924084 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.553930044 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.554116011 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.639121056 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.656157017 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.656169891 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.737202883 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.737359047 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.755640984 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.755687952 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.755716085 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.838726997 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.854435921 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.854448080 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.939310074 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.939476013 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:12.952635050 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.952903032 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:12.953152895 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.038114071 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.054112911 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.054131031 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.054136992 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.154723883 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.154978037 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.166457891 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.166613102 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.253693104 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.253739119 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.271172047 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.271294117 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.371263981 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.371433973 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.381968975 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.382277966 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.382318020 CET	56001	49762	88.99.161.62	192.168.11.20
Dec 10, 2024 07:02:13.471704006 CET	49762	56001	192.168.11.20	88.99.161.62
Dec 10, 2024 07:02:13.471894026 CET	49762	56001	192.168.11.20	88.99.161.62

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 07:00:58.414688110 CET	192.168.11.20	1.1.1.1	0x75ae	Standard query (0)	1hvnc.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 07:00:58.567433119 CET	1.1.1.1	192.168.11.20	0x75ae	No error (0)	1hvnc.duckdns.org		88.99.161.62	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:00:12
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\i9DKxTZoVd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\i9DKxTZoVd.exe"
Imagebase:	0x400000
File size:	1'336'796 bytes
MD5 hash:	108B6783FB581F9F9CE33936379EE0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:00:12
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp" /SL5="$1041C,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe"
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	14C6FA8E50B4147075EB922BD0C8B28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:00:13
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x5c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:00:13
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6af2b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:00:13
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 3
Imagebase:	0x230000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:00:16
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\i9DKxTZoVd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x400000
File size:	1'336'796 bytes
MD5 hash:	108B6783FB581F9F9CE33936379EE0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:00:16
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp" /SL5="$20468,956295,140800,C:\Users\user\Desktop\i9DKxTZoVd.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	14C6FA8E50B4147075EB922BD0C8B28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:00:16
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"
Imagebase:	0x960000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:00:16
Start date:	10/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s /i:INSTALL "C:\Users\user\AppData\Roaming\\Swallow.dat"
Imagebase:	0x7ff6d2710000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	01:00:21
Start date:	10/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff7c94f0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:00:21
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6af2b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:00:27
Start date:	10/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AF4B0CC-A257-4A7E-E201-D5DF536679FB}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Imagebase:	0x7ff7c94f0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:00:27
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6af2b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:00:29
Start date:	10/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat
Imagebase:	0x7ff6d2710000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:00:35
Start date:	10/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\Swallow.dat' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff7c94f0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1704, Parent PID: 7388

General

Target ID:	16
Start time:	01:00:35
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6af2b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFB5B8A8ED8 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101808651797.00007FFB5B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed4e4a74d973d8650095ef2dcc339da299e968bfa0b53ef97527ccbce5c7e23
Instruction ID: fdb7576e4b4d0fa6ce74ff1e24f6ae5b5e1f1e4182f404a0673e15ceb6669a03
Opcode Fuzzy Hash: fed4e4a74d973d8650095ef2dcc339da299e968bfa0b53ef97527ccbce5c7e23
Instruction Fuzzy Hash: 6C31087190CB884FDB59DA6C8C4A2F93FE0EB96321F04827FD188C71A7D965581AC791

Function 00007FFB5B8A7E98 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101808651797.00007FFB5B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf0994e91668dba0fac93c8fcf7497c68f74a253fe68634803d87cb3edf3e08
Instruction ID: 9969aaf656f715d1d947bf3c1a7702a03495b27e3b9ef5a7fcdcef2c5aebccbe
Opcode Fuzzy Hash: bdf0994e91668dba0fac93c8fcf7497c68f74a253fe68634803d87cb3edf3e08
Instruction Fuzzy Hash: 4D7149B6A0DF854FE7054A7C985A0F43FA1EF52320F0842BBD0C88B1E7D9286C068796

Function 00007FFB5B78EF00 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101808032875.00007FFB5B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B78D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b78d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bfbb4082011321c187fe68c13eaeee690fcc2401f448b727625ddcbed916f4
Instruction ID: 69e504e976332539054963545527f1b1c18e3959d52c333e033ced575eb05644
Opcode Fuzzy Hash: c6bfbb4082011321c187fe68c13eaeee690fcc2401f448b727625ddcbed916f4
Instruction Fuzzy Hash: 5741C2B140DBC44FE7978B389855A523FB0EF56320B1945DFE088CB1A7D629A846C792

Function 00007FFB5B8A36C5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101808651797.00007FFB5B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ab1351f01921192a4484a8dc8bd2cd8c5e113e0c24d4ad837c7bbd034a6c60
Instruction ID: 1e694ce0e817e9889de53fd90cef0e2f15737d97856cda206e1182ba78d51303
Opcode Fuzzy Hash: d6ab1351f01921192a4484a8dc8bd2cd8c5e113e0c24d4ad837c7bbd034a6c60
Instruction Fuzzy Hash: 7801677151CB0C4FD744EF0CE451AA5B7E0FB95324F10066DE58AC3665DA36E892CB45

Function 00007FFB5B973642 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101809243020.00007FFB5B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60d0de6326762fd27bd5d9994edf28f49e1cbbbb7cb46c3b5bf6d6678242639
Instruction ID: 30132026bb49150a90e2e87b244eba6458c24f97341ec446d095fc630f3f9e4c
Opcode Fuzzy Hash: b60d0de6326762fd27bd5d9994edf28f49e1cbbbb7cb46c3b5bf6d6678242639
Instruction Fuzzy Hash: 90F05472A0C6494FD758EB5CE4465A877E0FF4532075840B7E18DC7577DA2AAC42C784

Function 00007FFB5B8A8660 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101808651797.00007FFB5B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2901c6a704f490266f926cec3212551609e433a48be33fbde3e183a683019b
Instruction ID: fa8368d1d0766544bf75c3b2dbecec10635a06ac11b45b34b72db70c298db00b
Opcode Fuzzy Hash: 1d2901c6a704f490266f926cec3212551609e433a48be33fbde3e183a683019b
Instruction Fuzzy Hash: 78F0F6758086898FEB069F24C8599E57FA0EF26310B040297E458C71B2DB649854C7D2

Function 00007FFB5B9738F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.101809243020.00007FFB5B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb5b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0a1074734935300aed9e34bfcce58bbf754a867ffdbd4d591eff0488760c
Instruction ID: 4dcebae406cb2ce42ff207ec9164c4c4d30ea5ac764b1566daa95ca5ab333ebe
Opcode Fuzzy Hash: 6d4b0a1074734935300aed9e34bfcce58bbf754a867ffdbd4d591eff0488760c
Instruction Fuzzy Hash: E8F05E72A0C6498FD758EB6CE4425E877E0FF05320B5840B6E18DCB473DA2AAC41C740

Analysis Process: powershell.exePID: 5652, Parent PID: 4752COMMON

Executed Functions

Function 00007FFB5B985AD4 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101916752489.00007FFB5B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349e848d9bef91bca064fd139e0a531918d7e7191d65c7f3e8f9aa01f99b474b
Instruction ID: bc5fc1d3c5ba54a1c9ab8248f415fb794f54a474fb73629fa483cf701b93bbc7
Opcode Fuzzy Hash: 349e848d9bef91bca064fd139e0a531918d7e7191d65c7f3e8f9aa01f99b474b
Instruction Fuzzy Hash: B0511692A0DBC90FD3969A3CD8655647FE1DF56310B0941FFE089CB2E7D909AC48C381

Function 00007FFB5B8B8405 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101915582457.00007FFB5B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0752a8a1262e70e8f44ec6a41cbcc5b4f506a664ef2e74bdeea2679e94cfd2df
Instruction ID: f912db2fbfc4b5cc242094205c2575c9b4039ec8169009847a04dd72f3eef24b
Opcode Fuzzy Hash: 0752a8a1262e70e8f44ec6a41cbcc5b4f506a664ef2e74bdeea2679e94cfd2df
Instruction Fuzzy Hash: E131047091CB488FDB099F5CD84A6A87BE0FB99320F04426FE449C3262DB74A855CBC2

Function 00007FFB5B79EE20 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101913937817.00007FFB5B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B79D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa853db7c4898d9dde667872d16923305ff3105f744ee4001ab4aa8d9a03d4f8
Instruction ID: 7824fe91e0c6cd6d87930bca5755a66269ca1a97b6738af7adccd7bfca2ccfc7
Opcode Fuzzy Hash: fa853db7c4898d9dde667872d16923305ff3105f744ee4001ab4aa8d9a03d4f8
Instruction Fuzzy Hash: 1741CF7180DBC44FE7569B38D841A523FF0EF52320F1905EBD088CB1B7D629A84ACB92

Function 00007FFB5B8B9348 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101915582457.00007FFB5B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df8b734068d81eece27e3235f15f70ab886ac2b22223eea45151bcb2e733239
Instruction ID: 2004fdea6f6bb5eb6bebeface60751c7b4791b887be459c5d7ddffe9a7c840e8
Opcode Fuzzy Hash: 2df8b734068d81eece27e3235f15f70ab886ac2b22223eea45151bcb2e733239
Instruction Fuzzy Hash: 09213A7190CA4C8FDB59DFACD84A7E97BE0EB9A321F04816FD048C3152C674644ACB91

Function 00007FFB5B8B3475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101915582457.00007FFB5B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26e880e1d71fe7436f510caca523963cd19ce89c1addea80b81cc1ac8720924
Instruction ID: 7bfa5ff863b3d468a15e32b9328bb66b38d8306a6e1f7bd1906714c657015a01
Opcode Fuzzy Hash: e26e880e1d71fe7436f510caca523963cd19ce89c1addea80b81cc1ac8720924
Instruction Fuzzy Hash: 6B01677151CB0C4FD748EF0CE451AA6B7E0FB95324F10056EE58AC36A5DA36E892CB45

Function 00007FFB5B8B9188 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101915582457.00007FFB5B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c60b0ecdeb965c074a618e397dba33afa51d5efeee396229274115745ff901
Instruction ID: 6535c3d2cd0ee5c07557954fa15f5852c9899cdcf7ff16bb653e5fbe7b822fbc
Opcode Fuzzy Hash: a0c60b0ecdeb965c074a618e397dba33afa51d5efeee396229274115745ff901
Instruction Fuzzy Hash: 0CF02B758086898FDB06DF3488555D57FE0FF16310B0902D7E458C71B2DB799858C7C2

Function 00007FFB5B98460D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101916752489.00007FFB5B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8fddd2df4f7a7ef305da5270ef3a6b38129f8f623d5d27afa44daa6217565d
Instruction ID: a2da41564fff74dc5b76a10d9215f58ae4d4ed9436f85f153b6dc08a255ae79a
Opcode Fuzzy Hash: 7c8fddd2df4f7a7ef305da5270ef3a6b38129f8f623d5d27afa44daa6217565d
Instruction Fuzzy Hash: E9F05E72A0C6498FD799EA6CE4464A877E0EF45320B1940BAE19DC7573CA29EC41C784

Function 00007FFB5B9848C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101916752489.00007FFB5B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a798107fcba4478d08aa1b32ceee6c2e8ebc52eec95fe17f28ef6cf22b67ebe
Instruction ID: be203b87090e8f1350351b3f7af25762413e3a66a716199180c697008854b608
Opcode Fuzzy Hash: 5a798107fcba4478d08aa1b32ceee6c2e8ebc52eec95fe17f28ef6cf22b67ebe
Instruction Fuzzy Hash: 78F082B2A0C6498FD798EB6CE4418A877E0FF45324B1940F6E19DCB573CA2AEC41C740

Non-executed Functions

Function 00007FFB5B983061 Relevance: 1.0, Instructions: 1020COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.101916752489.00007FFB5B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0a0f5836444e361ff7a94c5ca23d2e27b35de95845f034e8009dff1ed91333
Instruction ID: c8ca36f651a4b2570ee9f153cb4a29293b4b59ad28928132ad7c3caed3d6bb57
Opcode Fuzzy Hash: db0a0f5836444e361ff7a94c5ca23d2e27b35de95845f034e8009dff1ed91333
Instruction Fuzzy Hash: CF52C3A2A0DB890FE396967CD8552B57BE1EF56320B0D41FBF08DCB1A7D91D9C068381

Function 00007FFB5B8B8BDA Relevance: 5.5, Strings: 4, Instructions: 499COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFB5B8B8BDA
K_^, xrefs: 00007FFB5B8B8C5A
K_^, xrefs: 00007FFB5B8B8C4A
K_^, xrefs: 00007FFB5B8B8C0A

Memory Dump Source

Source File: 0000000C.00000002.101915582457.00007FFB5B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB5B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffb5b8b0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 68674b3459f2dd42f5fb18269138045810e493fb7bd2253a6e5c3e8014526aed
Instruction ID: 8b7c5559ce787a98cccade4abd8d026ac6f76646fdcdd0f0f6f916b9d0f58f43
Opcode Fuzzy Hash: 68674b3459f2dd42f5fb18269138045810e493fb7bd2253a6e5c3e8014526aed
Instruction Fuzzy Hash: 688126E2A0DA854FE756973C98A91F97FE0FF62324B0C41BBC1858B1E7D91828068381

Analysis Process: regsvr32.exePID: 3552, Parent PID: 1356COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	12.7%
Total number of Nodes:	785
Total number of Limit Nodes:	9

Executed Functions

Function 00007FFB9909D3C0 Relevance: 110.4, APIs: 51, Strings: 10, Instructions: 3612COMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32 ref: 00007FFB9909D5AA

Part of subcall function 00007FFB990630E0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99063501

CloseHandle.KERNEL32 ref: 00007FFB9909E3B0
GetLastError.KERNEL32 ref: 00007FFB990A1373
CloseHandle.KERNEL32 ref: 00007FFB990A1464
CloseHandle.KERNEL32 ref: 00007FFB990A14AB
CloseHandle.KERNEL32 ref: 00007FFB990A1512
CloseHandle.KERNEL32 ref: 00007FFB990A1527
CloseHandle.KERNEL32 ref: 00007FFB990A19E4

Strings

\?\\, xrefs: 00007FFB9909DE48
assertion failed: self.height > 0, xrefs: 00007FFB990A12FF
exe\\.\NULexit code: , xrefs: 00007FFB9909EB49, 00007FFB9909ECB1, 00007FFB9909EE98, 00007FFB9909F14B, 00007FFB9909F39E
program path has no file name, xrefs: 00007FFB990A1A50
assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FFB9909E276, 00007FFB9909EC5D
]?\\, xrefs: 00007FFB9909DE50
.exeprogram not found, xrefs: 00007FFB9909DFED
#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c ", xrefs: 00007FFB990A0685
PATHstd\src\sys_common\process.rs, xrefs: 00007FFB9909F2B5
\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FFB9909F8E7, 00007FFB9909F928

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$EnvironmentErrorFreeLastStringsmemcpy
String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
API String ID: 3975177916-1077193248
Opcode ID: e8877b0d29b33cd03fe259f025adacbbc739ced8d1796b01c68c2241a0806bfd
Instruction ID: 448c7a60fea09a338c33b84d7b43bf2074297b3ccb88b6c3bb8a13fde09d2407
Opcode Fuzzy Hash: e8877b0d29b33cd03fe259f025adacbbc739ced8d1796b01c68c2241a0806bfd
Instruction Fuzzy Hash: ED73D3A2A09AD289EBB48F35D8043FE27A1FB15B88F505135CE6D5BB86DF39D641C340

Function 00007FFB990119D0 Relevance: 37.7, APIs: 19, Strings: 2, Instructions: 916memorytimenativeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32 ref: 00007FFB99011A61
GetSystemTimes.KERNEL32 ref: 00007FFB99011AB1
GetProcessIoCounters.KERNEL32 ref: 00007FFB99011C60
OpenProcessToken.ADVAPI32 ref: 00007FFB99011D34
GetTokenInformation.ADVAPI32 ref: 00007FFB99011D7C
GetProcessHeap.KERNEL32 ref: 00007FFB99011D8E
HeapAlloc.KERNEL32 ref: 00007FFB99011DAC
GetTokenInformation.ADVAPI32 ref: 00007FFB99011DD2
CloseHandle.KERNEL32 ref: 00007FFB99011F11
NtQueryInformationProcess.NTDLL ref: 00007FFB99012068
ReadProcessMemory.KERNEL32 ref: 00007FFB990120C0
ReadProcessMemory.KERNEL32 ref: 00007FFB990120EF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99012115
ReadProcessMemory.KERNEL32 ref: 00007FFB990121A8
ReadProcessMemory.KERNEL32 ref: 00007FFB990121D6
VirtualQueryEx.KERNEL32 ref: 00007FFB99012459
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB990128B9
GetModuleFileNameExW.PSAPI ref: 00007FFB990128D2

Part of subcall function 00007FFB99041330: GetLastError.KERNEL32 ref: 00007FFB99041334

GetProcessTimes.KERNEL32 ref: 00007FFB99012A09

Strings

), xrefs: 00007FFB9901251B
Unable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs, xrefs: 00007FFB9901250F

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Process$MemoryRead$InformationTimesToken$HeapQuery$AllocCloseCountersErrorFileHandleLastModuleNameOpenSystemVirtualmemcpymemset
String ID: )$Unable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs
API String ID: 2429014559-2122791606
Opcode ID: f7f2dfa0bfeee887a9a58c51f0b83762a470b589c1058d6d2acb4d121fd7d8b5
Instruction ID: 2dab7277b1424de834f13dc4419000b9411e03e385e6602e84ebff9b7d405236
Opcode Fuzzy Hash: f7f2dfa0bfeee887a9a58c51f0b83762a470b589c1058d6d2acb4d121fd7d8b5
Instruction Fuzzy Hash: C39291A2A08B8381EAF49F35E4403FA67A0FB84784F448535DAAD57B95DF3CE595CB00

Function 00007FFB98FF4140 Relevance: 36.2, APIs: 14, Strings: 6, Instructions: 1185memorysynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00007FFB98FF4228
GetLastError.KERNEL32 ref: 00007FFB98FF422D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF4287
HeapAlloc.KERNEL32 ref: 00007FFB98FF42ED
GetLastError.KERNEL32 ref: 00007FFB98FF42F5
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF433D
HeapFree.KERNEL32 ref: 00007FFB98FF434D
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF448A

Strings

a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 00007FFB98FF5778
[_^A^, xrefs: 00007FFB99053893
, xrefs: 00007FFB98FF51D3
Failed to execute command, xrefs: 00007FFB98FF5816
not yet implemented, xrefs: 00007FFB98FF57BA
tz%, xrefs: 00007FFB99053821

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorHeapLastmemcpy$AllocCreateFreeMutexmemcmp
String ID: $Failed to execute command$[_^A^$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs$not yet implemented$tz%
API String ID: 1612371893-4145309991
Opcode ID: 306804f8429946d84fd0d9c0b38720407107e4c4edf45aaf09ab6711b3670113
Instruction ID: 6a3e1e4e53bcde3c027958db164ca81588d620936c68dbec0e7ed54c3d3705a3
Opcode Fuzzy Hash: 306804f8429946d84fd0d9c0b38720407107e4c4edf45aaf09ab6711b3670113
Instruction Fuzzy Hash: 38C27AB261CB9280EB709B21E0403EAB7A1FB85B84F945536DE8D07B99DF3DE145CB44

Function 00007FFB98FF1CC0 Relevance: 17.4, APIs: 8, Strings: 1, Instructions: 1640COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB99008290: GlobalMemoryStatusEx.KERNEL32 ref: 00007FFB9900835D
Part of subcall function 00007FFB99008290: K32GetPerformanceInfo.KERNEL32 ref: 00007FFB990083F9

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF1E50
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF1E9B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF213E

Strings

0x0o0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 00007FFB990EADF1, 00007FFB990EAEA1

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$GlobalInfoMemoryPerformanceStatus
String ID: 0x0o0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
API String ID: 4293763300-3431789093
Opcode ID: 926480860362c9b0ba195ff6333f0d8137a941f52978fb87594afb95eac167be
Instruction ID: f374402df96428e9f296d8ec7996da1ddf603b603640599a860ce6d123ad3532
Opcode Fuzzy Hash: 926480860362c9b0ba195ff6333f0d8137a941f52978fb87594afb95eac167be
Instruction Fuzzy Hash: E7E212B2B1864381EB709B36E0017BA6750BF85BD4F946A35EE8D07799DF3DE2448708

Function 00007FFB9909BA70 Relevance: 12.5, APIs: 8, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFB9909BAE0
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFB9909BB0C

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Process$CurrentPrng
String ID:
API String ID: 716580790-0
Opcode ID: 9a63dd73fd40b28bc31c2260c1820278c048a26c35a56022da1d8901d8f0caa1
Instruction ID: d8bfc6b6f05b51c524cd4ec70df3f64cd7a3e56e337e4faf30406ca42e16b0cd
Opcode Fuzzy Hash: 9a63dd73fd40b28bc31c2260c1820278c048a26c35a56022da1d8901d8f0caa1
Instruction Fuzzy Hash: 8122D5B2E05AA28AFBB48F35D8113B92B91FB447A8F144635EA6E477C6DF3DD5418300

Function 00007FFB98FFD2B0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFB98FFD2E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFD73D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFD7DC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFDADC

Part of subcall function 00007FFB990CF8D0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990CF929

Part of subcall function 00007FFB990CF8D0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990CF994

Strings

unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\cpu.rs, xrefs: 00007FFB98FFD709
0, xrefs: 00007FFB98FFD3F5

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$InfoSystem
String ID: 0$unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\cpu.rs
API String ID: 1915069931-4250957935
Opcode ID: 54a7f814418847904aaa6705f7122f83602348c92790ed802303e772916d8cf7
Instruction ID: e6052116eae0bc371e997ccca8eff434248a1d073ad0da8b9c1e05bb6e50c058
Opcode Fuzzy Hash: 54a7f814418847904aaa6705f7122f83602348c92790ed802303e772916d8cf7
Instruction Fuzzy Hash: 6A22C7B2A0C69181EB70AB25E0403BAA7A0FB85BC4F649535DF8D07B9ADF7DE541C704

Function 00007FFB99014570 Relevance: 3.4, APIs: 2, Instructions: 401
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFB99014658

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 790771e9d2b311173de4575980f628a20167decbdbb59aa7f8e9ea8ed94ff7ad
Instruction ID: 7a1213fcb1a108ae0ded51ca4c609a26f228f36ef22a56d90b2a81107a496bf1
Opcode Fuzzy Hash: 790771e9d2b311173de4575980f628a20167decbdbb59aa7f8e9ea8ed94ff7ad
Instruction Fuzzy Hash: 4A0282B2A1DB8281EBB59F21E0403ABB7A1FB86BC0F548435DA9D47B99DF3DD5448700

Function 00007FFB9907A170 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5510ef113cd0099712f7f3f172633a19891afc883e0d682ac8346d33fa30402
Instruction ID: 9e5cb78e30f246e1343527c88457694bab62a54aadd75befb54a76cd840b5492
Opcode Fuzzy Hash: e5510ef113cd0099712f7f3f172633a19891afc883e0d682ac8346d33fa30402
Instruction Fuzzy Hash: FAE01221A649E2D9FA16DFB8D8465F463716F90359B440611E94E16154AE38D3D1C604

Function 00007FFB9908E2B0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 272
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFB9908E332
CloseHandle.KERNEL32 ref: 00007FFB9908E414
WaitForSingleObject.KERNEL32 ref: 00007FFB9908E421
GetLastError.KERNEL32 ref: 00007FFB9908E42A
CloseHandle.KERNEL32 ref: 00007FFB9908E4A9
CloseHandle.KERNEL32 ref: 00007FFB9908E4B2
CloseHandle.KERNEL32 ref: 00007FFB9908E5A9
CloseHandle.KERNEL32 ref: 00007FFB9908E5EF
CloseHandle.KERNEL32 ref: 00007FFB9908E5F8

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFB9908E3B5, 00007FFB9908E50E, 00007FFB9908E53C

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1454876536-2333694755
Opcode ID: 4622f5ef01afa671e17d50ea80cab3d94a0515aa6262abb91f1b43ba50a09c45
Instruction ID: a0fde5dc8c699ecd303915f12ba0f28a92c49306daca16e66c0d63eef35fbf8e
Opcode Fuzzy Hash: 4622f5ef01afa671e17d50ea80cab3d94a0515aa6262abb91f1b43ba50a09c45
Instruction Fuzzy Hash: DAC15BB2B08A9399EB60AF76D8403EC3B60BB54798F144031EE6D57B99DF39E585C340

Function 00007FFB99008290 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00007FFB9900835D
K32GetPerformanceInfo.KERNEL32 ref: 00007FFB990083F9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99008532
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99008637

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 00007FFB99008558, 00007FFB9900865E
@, xrefs: 00007FFB99008350

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$GlobalInfoMemoryPerformanceStatus
String ID: @$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
API String ID: 4293763300-1373735107
Opcode ID: e28a955019ed786fc4b7ea111ed4ac73c7eae90f47c405532ad5512a77d2755e
Instruction ID: 59dde133c6bf96c61a226830b5c89ff7cad9672f194bd29b00edc5c1b1926f11
Opcode Fuzzy Hash: e28a955019ed786fc4b7ea111ed4ac73c7eae90f47c405532ad5512a77d2755e
Instruction Fuzzy Hash: 6B918E62A18BC681F7B18B24E4027FAA360FBD6744F009325EADD02B95EF7DD185CB40

Function 00007FFB9909C3B0 Relevance: 9.2, APIs: 6, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFB9909C650: CreateEventW.KERNEL32(00000000,?,?,00007FFB9909C3DC), ref: 00007FFB9909C678

CloseHandle.KERNEL32 ref: 00007FFB9909C3ED
GetOverlappedResult.KERNEL32 ref: 00007FFB9909C4BD

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseCreateEventHandleOverlappedResult
String ID:
API String ID: 3756958029-0
Opcode ID: 355faade7bac29bcd4c5ebe2af3383654b138340226fca9017914fac89a0fe6c
Instruction ID: 9887e50e3daf20a4e7d46fc723f2474cd0b4028ad4c7cfe9299d9c0ae823db86
Opcode Fuzzy Hash: 355faade7bac29bcd4c5ebe2af3383654b138340226fca9017914fac89a0fe6c
Instruction Fuzzy Hash: 966180A2F0866389FBB08F75C4413BC2BA0AB15798F544435EE5D9BB86DF39E5C58380

Function 00007FFB99013E20 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhCollectQueryData.PDH ref: 00007FFB99013E5D
PdhOpenQueryA.PDH ref: 00007FFB99013FAD

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 00007FFB99014357
key_used disappeared, xrefs: 00007FFB99013EFB
global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\system.rs, xrefs: 00007FFB99014333

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Query$CollectDataOpen
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs$global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\system.rs$key_used disappeared
API String ID: 1159074299-968433683
Opcode ID: 46960911b40cb9a927aa096cc1974b329453aa525ff52a8b9caf07261619081b
Instruction ID: 7c1b769c6b5d65fc2f6a6a8d69d37b168fb2b20d93423d726d80ffa49513abf9
Opcode Fuzzy Hash: 46960911b40cb9a927aa096cc1974b329453aa525ff52a8b9caf07261619081b
Instruction Fuzzy Hash: A6F18DA2A08B9281E7B09F35E4013AA77A0FB85B94F549235EEAD077E5DF3DE445C340

Function 00007FFB99095AE0 Relevance: 7.7, APIs: 5, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FFB99095D0B
GetLastError.KERNEL32 ref: 00007FFB99095D27

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 22b187b5b003b3bb62fe2197e73667aab976a0dff98c5650e2d6d8fda656f44a
Instruction ID: 44d034c40090df5cfc3dfd41593186309027f7a8e894296001539be840394e37
Opcode Fuzzy Hash: 22b187b5b003b3bb62fe2197e73667aab976a0dff98c5650e2d6d8fda656f44a
Instruction Fuzzy Hash: 266192D1E086974AFBB58F32C5043B92AE16F45B98F144531DDBE47BCADE2DD8468700

Function 00007FFB99004BA0 Relevance: 6.3, APIs: 4, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopySid.ADVAPI32 ref: 00007FFB99004BEF
LookupAccountSidW.ADVAPI32 ref: 00007FFB99004D59
LookupAccountSidW.ADVAPI32 ref: 00007FFB99004DED
LocalFree.KERNEL32 ref: 00007FFB99004F7A

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: AccountLookup$CopyFreeLocal
String ID:
API String ID: 3405025632-0
Opcode ID: 1eaab3c5d766325dbd0190a3a7f479658cb86e787e1f623badaa0aa559fbca9b
Instruction ID: 0909d2a9ba7b9763d5c11d9912395e263ff804049882a1eb3174e7882a983327
Opcode Fuzzy Hash: 1eaab3c5d766325dbd0190a3a7f479658cb86e787e1f623badaa0aa559fbca9b
Instruction Fuzzy Hash: E7C19DB2608B4381FAB09F21E4503BAB7A0FB89390F544135EE9D46B95EF7DE441CB04

Function 00007FFB9909C650 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,?,?,00007FFB9909C3DC), ref: 00007FFB9909C678
GetLastError.KERNEL32(00000000,?,?,00007FFB9909C3DC), ref: 00007FFB9909C6D7
CloseHandle.KERNEL32(00000000,?,?,00007FFB9909C3DC), ref: 00007FFB9909C718
CloseHandle.KERNEL32(00000000,?,?,00007FFB9909C3DC), ref: 00007FFB9909C720

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID:
API String ID: 3743700123-0
Opcode ID: 73f5e18a21dc9f94ee0a9d8b981ef5d1567ae42563fc873a66b45c2830b1b57f
Instruction ID: 1c49524a8c92ed7e241565a2115773fffa2058996640a7a07ac67985c57d2864
Opcode Fuzzy Hash: 73f5e18a21dc9f94ee0a9d8b981ef5d1567ae42563fc873a66b45c2830b1b57f
Instruction Fuzzy Hash: 3511B463B0875242F6A99F72E5553782660AB89790F188034DFAD47BC2EF3DE4E28340

Function 00007FFB9900A4F0 Relevance: 4.7, APIs: 3, Instructions: 180
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9900A572
GetProcessTimes.KERNEL32 ref: 00007FFB9900A694

Part of subcall function 00007FFB99041330: GetLastError.KERNEL32 ref: 00007FFB99041334

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9900A7FE

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$ErrorLastProcessTimes
String ID:
API String ID: 2166301098-0
Opcode ID: a0b7e2c5a21875be9e5374b7f7d2a0a31ea491975b18e65bec993bb82cf9f54b
Instruction ID: 2b30404456ead1d0581a132b001c18fb5df2de3f5bbfaeaea0239304be4956f6
Opcode Fuzzy Hash: a0b7e2c5a21875be9e5374b7f7d2a0a31ea491975b18e65bec993bb82cf9f54b
Instruction Fuzzy Hash: 3D81B1B2609BC691EAB19F25E4447AAB764FB99BC0F404226EEDC17B55DF3CC184C700

Function 00007FFB98FFCDE0 Relevance: 4.6, APIs: 3, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhRemoveCounter.PDH ref: 00007FFB98FFCE26
CloseHandle.KERNEL32 ref: 00007FFB98FFCE78
PdhCloseQuery.PDH ref: 00007FFB98FFCEB5

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Close$CounterHandleQueryRemove
String ID:
API String ID: 2858124046-0
Opcode ID: ec4ffcc8567a3f188813cc51e746f1a03117ceca20d591a591bffe2e3af57f23
Instruction ID: 7bdc1dad3e05eab07bec9ad76b30a8cd2a66e4af59e7aacfef24cd93af4e03c1
Opcode Fuzzy Hash: ec4ffcc8567a3f188813cc51e746f1a03117ceca20d591a591bffe2e3af57f23
Instruction Fuzzy Hash: 842125B2A19A6345EB709F39D4013786751EF80BA4FA46730EB6E826D1EF38E4428704

Function 00007FFB99013300 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32 ref: 00007FFB9901339F

Strings

ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs, xrefs: 00007FFB990133FC

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: MemoryProcessRead
String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs
API String ID: 1726664587-2592314639
Opcode ID: 154fd1863748eb6e3aa37478280398bf4836337ff6abd2f241f701ef5836134d
Instruction ID: 8e172d3b412e8be1d48ec26f1bdd09684367f680303533b21c37c14247012cbf
Opcode Fuzzy Hash: 154fd1863748eb6e3aa37478280398bf4836337ff6abd2f241f701ef5836134d
Instruction Fuzzy Hash: 4681D5A2A08A5281EAB18F22E4017BA67A0FF95BD4F54C131EEAD477C5DF3DE5818710

Function 00007FFB99014440 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetPerformanceInfo.KERNEL32 ref: 00007FFB99014505

Strings

@, xrefs: 00007FFB9901446A

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: InfoPerformance
String ID: @
API String ID: 3070290716-2766056989
Opcode ID: 20f44ae7a57ef176a7fd478efd20977fc81dc49758b823866ee7d790288df0ab
Instruction ID: 21ddbaa297a94fde0153127af841d6e8db03397f6c198738176565a8332f1eb5
Opcode Fuzzy Hash: 20f44ae7a57ef176a7fd478efd20977fc81dc49758b823866ee7d790288df0ab
Instruction Fuzzy Hash: 04316361A18AC181E6B28B28E4467E5A3B4BFD9364F049320EBDC46795FF3DD1D68B40

Function 00007FFB99011730 Relevance: 3.2, APIs: 2, Instructions: 151
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 00007FFB990117B2
GetProcessTimes.KERNEL32 ref: 00007FFB99011836

Part of subcall function 00007FFB99041330: GetLastError.KERNEL32 ref: 00007FFB99041334

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Process$ErrorLastOpenTimes
String ID:
API String ID: 1188884809-0
Opcode ID: 93a18b092cf4a6bd7b24d03b0818a9b4df5257eb96a611418ace896e3b5f05a2
Instruction ID: c52f129ead32bc04df822eb7e037d14eeeadb0eab4ca0542dff5c08904c70d9c
Opcode Fuzzy Hash: 93a18b092cf4a6bd7b24d03b0818a9b4df5257eb96a611418ace896e3b5f05a2
Instruction Fuzzy Hash: F6615172A18B8243E6A49F25E4403AAB2A1FB95794F10D235EBFD067D5EF7DE0D48700

Function 00007FFB990A7060 Relevance: 3.1, APIs: 2, Instructions: 81COMMON

Download Yara Rule

APIs

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,00007FFB99045865), ref: 00007FFB990A70DB
GetLastError.KERNEL32(?,?,00007FFB99045865), ref: 00007FFB990A70E5

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: AddressErrorLastWait
String ID:
API String ID: 1574541344-0
Opcode ID: ed70a05f1d20ec105d49a2fe33840aa86f76e32dbb7ad7eca4a7eaace419717b
Instruction ID: f9f79e533bbaa59ee66d804d60b5a3d850589a6a023f9c9ec8c9d0e79d15f7b3
Opcode Fuzzy Hash: ed70a05f1d20ec105d49a2fe33840aa86f76e32dbb7ad7eca4a7eaace419717b
Instruction Fuzzy Hash: 2721E4B2F191138AFF798E75D8199BC27A5AB50788F15C035DF6A4B684CE3CD442C384

Function 00007FFB99013950 Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

VirtualQueryEx.KERNEL32 ref: 00007FFB9901399A

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: QueryVirtual
String ID:
API String ID: 1804819252-0
Opcode ID: 7ad2e8c601173baa7d0b193d6b318f4a18832f4d87898cdbe41944223f82d7ac
Instruction ID: 84c298883499dd195dab1e468a7ad760e216356ec532bef7f9b31c90c281fa24
Opcode Fuzzy Hash: 7ad2e8c601173baa7d0b193d6b318f4a18832f4d87898cdbe41944223f82d7ac
Instruction Fuzzy Hash: 8161C2A2B08A4791EAB08F21E4443B9A761FB45BD4F84C532EF6D47B95EF3DE1858310

Function 00007FFB9901B760 Relevance: 1.4, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9900A4F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9900A572
Part of subcall function 00007FFB9900A4F0: GetProcessTimes.KERNEL32 ref: 00007FFB9900A694

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9901B7F3

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$ProcessTimes
String ID:
API String ID: 3369102921-0
Opcode ID: 6243e473f3b6b8d19f553fb0d1d1c9c818a7fc21bc4286bd1717a95abe95b021
Instruction ID: e7bfb5e798fa0c5b1e19cca6b3198eb4455802860538ca2f6ba39c125ead0254
Opcode Fuzzy Hash: 6243e473f3b6b8d19f553fb0d1d1c9c818a7fc21bc4286bd1717a95abe95b021
Instruction Fuzzy Hash: 5A815D72619BC685E6B18F20F8447AAB3A4FB95780F548235EADC13B58DF3CD194CB40

Function 00007FFB99017010 Relevance: 1.4, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99017162

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 2580fd8042fc4c9308c4a50a559c4f0db754e574a64f772dd70ffccb8e543580
Instruction ID: c23a6b298779cee51091c0eb893d743662cee654c2925b1f7d7816cb9592e71a
Opcode Fuzzy Hash: 2580fd8042fc4c9308c4a50a559c4f0db754e574a64f772dd70ffccb8e543580
Instruction Fuzzy Hash: 5851E762B09B8681FAB68F29E5007B9A364FB85BC4F449534EEAC17B85DF3DE1418300

Function 00007FFB98FFD0E0 Relevance: 1.4, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFD1DE

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: ce430502d745eef7b07d547f8d41427f4233ec20b23cd2e9d2959184cb231ff5
Instruction ID: a19e4ea33dd4c6c7f55e2e6556e065bafa2748955a7d7cfd556e67fab08c11b8
Opcode Fuzzy Hash: ce430502d745eef7b07d547f8d41427f4233ec20b23cd2e9d2959184cb231ff5
Instruction Fuzzy Hash: A541D7B6A1878281F6619B2AE40036AA361FF957C0F549632FFDD63A55DF3CD1858340

Function 00007FFB990111C0 Relevance: 1.4, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFB990085BD), ref: 00007FFB990112F2

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 44ffa615676fa388739d42c65e1246181da5665d8e2d8a22bd76da9b7933d62e
Instruction ID: b99a6a05fb280abf1227579577030ff227b817eae1c97718eef2ffde7f88e61c
Opcode Fuzzy Hash: 44ffa615676fa388739d42c65e1246181da5665d8e2d8a22bd76da9b7933d62e
Instruction Fuzzy Hash: A831E691B0965B42EEF8CB3699002B65295AB49BF4F54C731CE7D8B7D0ED3CE1958240

Non-executed Functions

Function 00007FFB98FFDD10 Relevance: 33.7, APIs: 22, Instructions: 656COMMON

Download Yara Rule

APIs

CallNtPowerInformation.POWRPROF ref: 00007FFB98FFDDA6
GetLogicalProcessorInformationEx.KERNEL32 ref: 00007FFB98FFE007
GetLogicalProcessorInformationEx.KERNEL32 ref: 00007FFB98FFE0F6
TlsGetValue.KERNEL32 ref: 00007FFB98FFE1A9
TlsGetValue.KERNEL32 ref: 00007FFB98FFE210
TlsSetValue.KERNEL32 ref: 00007FFB98FFE220
TlsGetValue.KERNEL32 ref: 00007FFB98FFE277
TlsGetValue.KERNEL32 ref: 00007FFB98FFE2BE
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFB98FFE2FA
TlsGetValue.KERNEL32 ref: 00007FFB98FFE32D
TlsSetValue.KERNEL32 ref: 00007FFB98FFE33D

Part of subcall function 00007FFB990A7920: TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFB990ADBD5,?,?,?), ref: 00007FFB990A7963
Part of subcall function 00007FFB990A7920: InitOnceComplete.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFB990ADBD5,?,?,?), ref: 00007FFB990A79AE

TlsGetValue.KERNEL32 ref: 00007FFB98FFE377
TlsGetValue.KERNEL32 ref: 00007FFB98FFE3B9
TlsGetValue.KERNEL32 ref: 00007FFB98FFE407
TlsSetValue.KERNEL32 ref: 00007FFB98FFE417
TlsGetValue.KERNEL32 ref: 00007FFB98FFE44C
TlsGetValue.KERNEL32 ref: 00007FFB98FFE489
TlsGetValue.KERNEL32 ref: 00007FFB98FFE4DF
TlsSetValue.KERNEL32 ref: 00007FFB98FFE4EF
TlsGetValue.KERNEL32 ref: 00007FFB98FFE520
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FFE577
RtlGetVersion.NTDLL ref: 00007FFB98FFE589

Part of subcall function 00007FFB98FFCC60: PdhCloseQuery.PDH ref: 00007FFB98FFCCAF

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Value$Information$LogicalProcessor$AllocCallCloseCompleteInitOncePowerPrngProcessQueryVersionmemset
String ID:
API String ID: 1612812885-0
Opcode ID: 65ec80cb2d6eeeaf81028685fcfa17a5c0f368f2d6784e17b982227086a6f180
Instruction ID: 6ac2eb78449c190246e38ece885869f7ea7e2d0168c43d0e0ef636d6d84ad7c9
Opcode Fuzzy Hash: 65ec80cb2d6eeeaf81028685fcfa17a5c0f368f2d6784e17b982227086a6f180
Instruction Fuzzy Hash: 883227B2B0965242FAB49F35D4003BD6691AF88B80FA89535EF9D4B7C5DF3DE8428704

Function 00007FFB98FF87B0 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 504nativelibraryloaderCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FF87DE
GetModuleHandleA.KERNEL32 ref: 00007FFB98FF8871
GetModuleHandleA.KERNEL32 ref: 00007FFB98FF889F
LoadLibraryA.KERNEL32 ref: 00007FFB98FF88AC
GetProcAddress.KERNEL32 ref: 00007FFB98FF8970
GetModuleHandleA.KERNEL32 ref: 00007FFB98FF8A7C
GetProcAddress.KERNEL32 ref: 00007FFB98FF8B40
AddVectoredExceptionHandler.KERNEL32 ref: 00007FFB98FF8BA3
NtQueryInformationProcess.NTDLL ref: 00007FFB98FF8BDA
NtQuerySystemInformation.NTDLL ref: 00007FFB98FF8C27
NtGetContextThread.NTDLL ref: 00007FFB98FF8DF5
NtSetContextThread.NTDLL ref: 00007FFB98FF8E7E
NtClose.NTDLL ref: 00007FFB98FF8E8E

Strings

Rng::fill failedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand-0.8.5\src\rng.rs, xrefs: 00007FFB98FF9089
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFB98FF904D

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: HandleModule$AddressContextInformationProcQueryThread$CloseExceptionHandlerLibraryLoadProcessSystemVectoredmemset
String ID: Rng::fill failedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand-0.8.5\src\rng.rs$called `Result::unwrap()` on an `Err` value
API String ID: 3151366523-3362511459
Opcode ID: 83c356531b9f9762a9043adf1d6a463cd1e09e3952796af0121d3f7748b25722
Instruction ID: 7c391b74e140683c7e5666eaf5bae475390bafdc04c8b64bac5be019fbb307fd
Opcode Fuzzy Hash: 83c356531b9f9762a9043adf1d6a463cd1e09e3952796af0121d3f7748b25722
Instruction Fuzzy Hash: 6D329FB1A18B9281EBB18B21E5003BABBA0FF45B84FA45535EE8D07B95DF7DE441C704

Function 00007FFB990A2E10 Relevance: 24.5, APIs: 16, Instructions: 456COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00080088,00000000,00000001,00080060,00007FFB990A2C84), ref: 00007FFB990A2E95
WriteConsoleW.KERNEL32 ref: 00007FFB990A2ED4
WriteConsoleW.KERNEL32 ref: 00007FFB990A2F3B
GetLastError.KERNEL32 ref: 00007FFB990A2F44
GetLastError.KERNEL32 ref: 00007FFB990A2FAE
GetStdHandle.KERNEL32(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A309F
GetLastError.KERNEL32(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A30AF
GetConsoleMode.KERNEL32(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A30F7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A3126
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A3140
WideCharToMultiByte.KERNEL32(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A3241
CloseHandle.KERNEL32(?,00080088,?,?,?,00000001,?,00080030), ref: 00007FFB990A3313
SetLastError.KERNEL32 ref: 00007FFB990A33D2
ReadConsoleW.KERNEL32 ref: 00007FFB990A33E8
GetLastError.KERNEL32 ref: 00007FFB990A33F8

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$Console$ByteCharHandleMultiWideWritememcpy$CloseModeRead
String ID:
API String ID: 262030326-0
Opcode ID: 03a37ca1b8088afd316fe39b557cd38fad8174c223675c13a03c08b05f556c46
Instruction ID: 81f284edad1cddcb397df317e393fb4b001bbd619659ab402083bf0a99489ce2
Opcode Fuzzy Hash: 03a37ca1b8088afd316fe39b557cd38fad8174c223675c13a03c08b05f556c46
Instruction Fuzzy Hash: 6502FFA2F1929391FBB49F71D8083F966A0AF44B94F458131EE6D87BC9DE3CE5818350

Function 00007FFB98FF8160 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 360libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF82BD
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF82F7
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF8360
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF839A
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF8401
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF843B
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF84A2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF84DC
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF8543
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF857D
CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF860C
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB98FF861E

Strings

Rng::fill failedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand-0.8.5\src\rng.rs, xrefs: 00007FFB98FF8678

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$CreateEventHandleModuleObjectSingleWait
String ID: Rng::fill failedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand-0.8.5\src\rng.rs
API String ID: 2726895772-2541100763
Opcode ID: c767602cb81d9ac396bdce0a43a747f462f62fec4e090cbb81ff9fa0cd949ba5
Instruction ID: 9deef5cd6f7dbc8b19421736ed8a3b316650ba3433b9bf04d4cb047465e834a4
Opcode Fuzzy Hash: c767602cb81d9ac396bdce0a43a747f462f62fec4e090cbb81ff9fa0cd949ba5
Instruction Fuzzy Hash: 2BF1DFB2B1865380EE709B32E5007AA6760BF85BD4FA49A31EE6D077D6DF7DE1018704

Function 00007FFB9901D310 Relevance: 18.4, APIs: 12, Instructions: 424COMMON

Download Yara Rule

APIs

NetUserEnum.NETAPI32 ref: 00007FFB9901D43D
NetUserGetInfo.NETAPI32 ref: 00007FFB9901D4AD

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: User$EnumInfo
String ID:
API String ID: 2388768862-0
Opcode ID: d1f6a168d115fb8464c204134c553cd7ad8b6b47ac37865dc6fba0b669ffcb99
Instruction ID: 47093f9a395fc26b166ad42a41b5f49d574e309148f9cb8ac3cbd582a5af83ad
Opcode Fuzzy Hash: d1f6a168d115fb8464c204134c553cd7ad8b6b47ac37865dc6fba0b669ffcb99
Instruction Fuzzy Hash: 8C1250B2609B8282EBB09F25E4403AAA7A1FB84BC4F548536DF9D47B99DF3DD445C700

Function 00007FFB99000220 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 478fileCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB99000268

Part of subcall function 00007FFB98FFF1C0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFF31A

CreateFileW.KERNEL32 ref: 00007FFB99000391
CloseHandle.KERNEL32 ref: 00007FFB9900060F
CloseHandle.KERNEL32(?), ref: 00007FFB99000C06

Strings

, xrefs: 00007FFB990002A3

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CreateFilememcpymemset
String ID:
API String ID: 83581381-3916222277
Opcode ID: 101c16379f8f8cbf383b45ac346becee7e761436e2fc05531052f326e399cc94
Instruction ID: 2dfc5c989c44a4c2ee6eca73949d595ce088791be8f06326cc9a45230b1dc9a5
Opcode Fuzzy Hash: 101c16379f8f8cbf383b45ac346becee7e761436e2fc05531052f326e399cc94
Instruction Fuzzy Hash: 55325DA2A1C7C284F7B19F25E0247EEA2B0FB86744F108135CAAD06AD5DF7DD594CB41

Function 00007FFB99099730 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 336COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99099974

Strings

cygw, xrefs: 00007FFB99099CA8
msys, xrefs: 00007FFB99099C39
win-, xrefs: 00007FFB99099CAF
-pty, xrefs: 00007FFB99099C53, 00007FFB99099C88

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: -pty$cygw$msys$win-
API String ID: 3510742995-1440016460
Opcode ID: d3fbad761834d3c8db14849e4a9246d48ef2da392b0ed67f28a5bdf4ce5dc014
Instruction ID: 656ab396766cc9afd305befcecc91d88300419ddcfe9f49c69b31a3c925dd23b
Opcode Fuzzy Hash: d3fbad761834d3c8db14849e4a9246d48ef2da392b0ed67f28a5bdf4ce5dc014
Instruction Fuzzy Hash: E3D1CFA2A0879289FBB08F79D8553FD2790EB54788F548135DA694BBCADF3CD685C300

Function 00007FFB990A2570 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

ka, xrefs: 00007FFB990A2636

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID:
String ID: ka
API String ID: 0-1793574901
Opcode ID: 3d6dc4548c1d718a03338362e7f49c509304b02c8e19b8f09930801f70830535
Instruction ID: 9ca37876c67147d986acd4bc4e9ba7804eab7b877968c664fc2ae95bb6839bab
Opcode Fuzzy Hash: 3d6dc4548c1d718a03338362e7f49c509304b02c8e19b8f09930801f70830535
Instruction Fuzzy Hash: F9A1C3A2B0A65781EAB89F3AD6083B92261BF48FD4F558531DD2D077C4DE3CE582C340

Function 00007FFB990849F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFB99084AFB

Part of subcall function 00007FFB990EFDE0: RtlCaptureContext.KERNEL32 ref: 00007FFB990EFE72
Part of subcall function 00007FFB990EFDE0: RtlUnwindEx.KERNEL32 ref: 00007FFB990EFEAF
Part of subcall function 00007FFB990EFDE0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB990EFEB5
Part of subcall function 00007FFB990EFDE0: RaiseException.KERNEL32 ref: 00007FFB990EFEF2

Strings

StderrLock, xrefs: 00007FFB99084EBB
lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs, xrefs: 00007FFB99084B1C

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: AddressCaptureContextExceptionRaiseSingleUnwindWakeabort
String ID: StderrLock$lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs
API String ID: 938658393-214416337
Opcode ID: 7d0698d3b608854b94f66a72beaf7516906c0cf3d6c45231d4e380671a93a810
Instruction ID: ca09f1b31012f7d4bacf8787d039a4a7207c2347063fdda82235c3263ac954df
Opcode Fuzzy Hash: 7d0698d3b608854b94f66a72beaf7516906c0cf3d6c45231d4e380671a93a810
Instruction Fuzzy Hash: C4D1ABA2F08A1686EBA4DF36D4043B96761EB48BA4F948635DE2E077C5DF3DE5428300

Function 00007FFB9900FB50 Relevance: 5.5, APIs: 4, Instructions: 456COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FFB9900CEDC), ref: 00007FFB9900FD03

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1044fb59293d1fddaa8e4ff40b5a29b2e6b2756d137971db36e6ec828bee6ada
Instruction ID: 21d8b45560919b3f7991b24f3f5efa1c9c65a559d3150b963678f97c18618de5
Opcode Fuzzy Hash: 1044fb59293d1fddaa8e4ff40b5a29b2e6b2756d137971db36e6ec828bee6ada
Instruction Fuzzy Hash: 51024563E19B8682EA61CF28D5112B86720FB96BA4F459335DFAD067D2DF3CE191C300

Function 00007FFB99056C30 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(?,00000000,?,00007FFB990567B5,?,?,00000000,00007FFB99053176), ref: 00007FFB99056C72
SystemFunction036.ADVAPI32(?,00000000,?,00007FFB990567B5,?,?,00000000,00007FFB99053176), ref: 00007FFB99056C85

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CryptFunction036RandomSystem
String ID:
API String ID: 1232939966-0
Opcode ID: edaf3c05d39f4af3d537a6341ff7a846ba6def7ed363080595f2fe368e43d273
Instruction ID: c308297c6aed60313341649bd927ea78001d542efbdcb5365a76209cb794f1a4
Opcode Fuzzy Hash: edaf3c05d39f4af3d537a6341ff7a846ba6def7ed363080595f2fe368e43d273
Instruction Fuzzy Hash: 12F0B4E2F191A705FEF41D7B9E0457589815F257F0D288335AD7D87AD6EC29F8821102

Function 00007FFB98FFFA70 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFB98FFFA99

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: a4ddce30272e5139cc5a03e003ae9961be119e76b0352709f53b54bbd1793538
Instruction ID: d12c0a8a7b62b5d8886d501b0b1156fe8b2a838faf036450ac403619bb96c5af
Opcode Fuzzy Hash: a4ddce30272e5139cc5a03e003ae9961be119e76b0352709f53b54bbd1793538
Instruction Fuzzy Hash: A1F01C72618B4182E7609B61F4407AA7261E788784F548131EADE87B54CF7CD1818740

Function 00007FFB990A6230 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 481COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB990A63F4
GetFullPathNameW.KERNEL32 ref: 00007FFB990A6410
GetLastError.KERNEL32 ref: 00007FFB990A641B
GetLastError.KERNEL32 ref: 00007FFB990A6434

Strings

\\?\, xrefs: 00007FFB990A6556
\\?\UNC\, xrefs: 00007FFB990A65A8

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\$\\?\UNC\
API String ID: 2482867836-3019864461
Opcode ID: ed3ffb806fa8e03f4d903f2f8905634a2cdfe26b5f29a395ac6398c736c96f8c
Instruction ID: e10640418ed9c0c977d549bd6c5ec73182c3d25ed3581a939429f0d0e7a5e524
Opcode Fuzzy Hash: ed3ffb806fa8e03f4d903f2f8905634a2cdfe26b5f29a395ac6398c736c96f8c
Instruction Fuzzy Hash: 8212A2E2E0969385EBB89F31C84C3B926A5FB05B94F418535DAAD4B7C5DF3CE6818340

Function 00007FFB990A4230 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 276libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB990A4339
GetFullPathNameW.KERNEL32 ref: 00007FFB990A434E
GetLastError.KERNEL32 ref: 00007FFB990A4359
GetLastError.KERNEL32 ref: 00007FFB990A4372
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A43F0
GetLastError.KERNEL32 ref: 00007FFB990A442A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A44E9
GetModuleHandleA.KERNEL32 ref: 00007FFB990A4679
GetProcAddress.KERNEL32 ref: 00007FFB990A468D

Strings

SetThreadDescription, xrefs: 00007FFB990A4683
kernel32, xrefs: 00007FFB990A4672

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$AddressFullHandleModuleNamePathProcmemcmpmemcpy
String ID: SetThreadDescription$kernel32
API String ID: 1783792165-1950310818
Opcode ID: d16caf42d59669fbb94879889cb953ed7db0d01622573f9800f666c86dec7bb0
Instruction ID: 36041224b58dbf229a95fe385f3a6614fa6dc56c0ac9893b006a7bfe56aa21e7
Opcode Fuzzy Hash: d16caf42d59669fbb94879889cb953ed7db0d01622573f9800f666c86dec7bb0
Instruction Fuzzy Hash: B3B19DA6A0979386EBB99F31D8483B92655BF48BC8F558031CE2C4BB96DF3CD2418340

Function 00007FFB990A2B20 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFB990A2B43
GetLastError.KERNEL32(?,?,?,00080088,?,00080070,00080070,00080060,00007FFB99086BC5), ref: 00007FFB990A2B5B
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00080078,00007FFB99084E66), ref: 00007FFB990A2B9A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00080078,00007FFB99084E66), ref: 00007FFB990A2DF5
MultiByteToWideChar.KERNEL32(00000000,00080088,00000000,00000001,00080060,00007FFB990A2C84), ref: 00007FFB990A2E95
WriteConsoleW.KERNEL32 ref: 00007FFB990A2ED4

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFB990A2D93

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ConsoleHandle$ByteCharCloseErrorLastModeMultiWideWrite
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1828868761-2333694755
Opcode ID: 8148cda61f73774d321e2bf937e763286ce9fbc27c84f6f1da959c08a4a8812a
Instruction ID: f0028e9295209655d786be7765a7ab4e51c06f1b833f13657eb8ab8a20f739f8
Opcode Fuzzy Hash: 8148cda61f73774d321e2bf937e763286ce9fbc27c84f6f1da959c08a4a8812a
Instruction Fuzzy Hash: 13C1D1A2E0969355FBB88F74D6083FC2B61AB04798F458131DA6D47ACADF3CD185C390

Function 00007FFB990F03C0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FFB990F0591,?,?,?,?,?,?,00007FFB991858D8,00000000), ref: 00007FFB990F03E7
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FFB990F0591,?,?,?,?,?,?,00007FFB991858D8,00000000), ref: 00007FFB990F0410

Part of subcall function 00007FFB990F0FD0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00007FFB990F0423,?,?,?,?,00000000,00000000,00007FFB990F0591), ref: 00007FFB990F0FE7

VirtualQuery.KERNEL32 ref: 00007FFB990F04DB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFB990F0571
VirtualProtect failed with code 0x%x, xrefs: 00007FFB990F054E
Address %p has no image-section, xrefs: 00007FFB990F0432, 00007FFB990F0585
Mingw-w64 runtime failure:, xrefs: 00007FFB990F03F7

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: __acrt_iob_func$QueryVirtual__stdio_common_vfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2227559371-1534286854
Opcode ID: d2f35f438812628afec87083bd482c667a54cb9a11b415c01867761c60754505
Instruction ID: 91ec38d2745d2173ee0036cfe7cd1f1b588f06a8ea26b8550829e6f4dacc72e8
Opcode Fuzzy Hash: d2f35f438812628afec87083bd482c667a54cb9a11b415c01867761c60754505
Instruction Fuzzy Hash: A041C2F2A09A5782EBA08F21E840AB977B0FF85B90F954131DA5C173A4DF3CEA55C340

Function 00007FFB99068010 Relevance: 15.5, APIs: 8, Strings: 2, Instructions: 483COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9906809E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990680D5
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9906859B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9906860F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99068647

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FFB990683D3
assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FFB990689A3

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
API String ID: 3510742995-2079967719
Opcode ID: eb5419176b5d512d1769c9db9a8281a698320489efb31ddfcb6e8d91e022418b
Instruction ID: 77df128966c78f5ea15f1ecc2a14181066f3c6fcea6f3eb2fcbb8340448510c5
Opcode Fuzzy Hash: eb5419176b5d512d1769c9db9a8281a698320489efb31ddfcb6e8d91e022418b
Instruction Fuzzy Hash: 17428972A04BC285E771CF24E8413E933A8FB58B88F548226DE9D5BB95DF78D295C300

Function 00007FFB98FFF610 Relevance: 10.8, APIs: 7, Instructions: 285COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FFF676
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFF7D0
FindNextVolumeW.KERNEL32 ref: 00007FFB98FFF804
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFB98FFFA99

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: DiskFindFreeNextSpaceVolumememcpymemset
String ID:
API String ID: 2905604665-0
Opcode ID: 5c7e42a3f69397965ca1a5bc3867ce836ab2c1ddcc91dfdcdff7d9b1013b988a
Instruction ID: eb4bebc0ccd7ca6282ae5ebf9c5529d4f3738352257dd59319ca4740409602f4
Opcode Fuzzy Hash: 5c7e42a3f69397965ca1a5bc3867ce836ab2c1ddcc91dfdcdff7d9b1013b988a
Instruction Fuzzy Hash: 8FC1C4B2A0CB4281EBB09B25E44037AA6A0FF84794FA49635EEAD477D5DF3CD540C704

Function 00007FFB9907BE30 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB9907BFB9
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB9907BFCB
GetLastError.KERNEL32 ref: 00007FFB9907BFD7
GetLastError.KERNEL32 ref: 00007FFB9907BFF0

Strings

environment variable not foundenvironment variable was not valid unicode: , xrefs: 00007FFB9907C27D

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: environment variable not foundenvironment variable was not valid unicode:
API String ID: 2691138088-3632183283
Opcode ID: 229e23d2f11a467241cf802ba7087207a0a802c7da828c653801ced37b386dfc
Instruction ID: 561abae6024e23d2bae92c63d4f0dce48a99e5ae7dea64948bc733481fe84a93
Opcode Fuzzy Hash: 229e23d2f11a467241cf802ba7087207a0a802c7da828c653801ced37b386dfc
Instruction Fuzzy Hash: 15B1BEA2B04AA285EBB49F71D8443FD2764BB45BD8F148435CE6C9BB99DF3DD2818340

Function 00007FFB990A3DF0 Relevance: 10.8, APIs: 7, Instructions: 251COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB990A3EF9
GetFullPathNameW.KERNEL32 ref: 00007FFB990A3F0E
GetLastError.KERNEL32 ref: 00007FFB990A3F19
GetLastError.KERNEL32 ref: 00007FFB990A3F32
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A3FB7
GetLastError.KERNEL32 ref: 00007FFB990A3FF1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A40B0

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FullNamePathmemcmpmemcpy
String ID:
API String ID: 2015650653-0
Opcode ID: c2071ec9951aaa0769291ec01c2e441aa3e53cac064bcbed00e60981cebdbddb
Instruction ID: 2978269d2f65d5afd7ba583f0852af380f77383c63ca707b3e815165710e3ac0
Opcode Fuzzy Hash: c2071ec9951aaa0769291ec01c2e441aa3e53cac064bcbed00e60981cebdbddb
Instruction Fuzzy Hash: 7CA1A0A6B0979386EBB99F31D8493B96659BF54BC8F558032DE2C4BB85DF3CD2408340

Function 00007FFB9909B5D0 Relevance: 10.7, APIs: 7, Instructions: 185COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB9909B6C8
GetModuleFileNameW.KERNEL32 ref: 00007FFB9909B6D5
GetLastError.KERNEL32 ref: 00007FFB9909B6E1
GetLastError.KERNEL32 ref: 00007FFB9909B6FA
GetLastError.KERNEL32 ref: 00007FFB9909B796
SetCurrentDirectoryW.KERNEL32 ref: 00007FFB9909B87A
GetLastError.KERNEL32 ref: 00007FFB9909B8AA

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName
String ID:
API String ID: 1505103792-0
Opcode ID: f19fe9e112a66080942e94092620ba0b0f9219739f2db8bc937d5c26f35f82ba
Instruction ID: 8f27a6ba5d2e1fc27dc660d7faf1c24c5e5945e127cd1fcdbbd3df32ff442e78
Opcode Fuzzy Hash: f19fe9e112a66080942e94092620ba0b0f9219739f2db8bc937d5c26f35f82ba
Instruction Fuzzy Hash: EF71B0A2B08A9285FBB59F75D8453F96755BF04BE8F048131DE6C57A8ADF2CE2808300

Function 00007FFB99001660 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FFB9900169E
SysFreeString.OLEAUT32 ref: 00007FFB9900170B
SysFreeString.OLEAUT32 ref: 00007FFB99001713
CoUninitialize.OLE32 ref: 00007FFB990017B2

Strings

WQL, xrefs: 00007FFB99001683
SELECT * FROM MSAcpi_ThermalZoneTemperature, xrefs: 00007FFB99001697

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: String$Free$AllocUninitialize
String ID: SELECT * FROM MSAcpi_ThermalZoneTemperature$WQL
API String ID: 522029473-2989581318
Opcode ID: d533c448bf5a03fad7bf9007f40bf8e5e398e176ce492cda1bdb937de17db41d
Instruction ID: ad55c17fbd156e955dd4c535879c35d263e231a16cace7fbb1f4369d1f65e11d
Opcode Fuzzy Hash: d533c448bf5a03fad7bf9007f40bf8e5e398e176ce492cda1bdb937de17db41d
Instruction Fuzzy Hash: A8417EB2609B4292EAB09F22E85136AB7A4FF55784F440035EF9E43796EF7CE085C340

Function 00007FFB990EFDE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFB990EFE72
RtlUnwindEx.KERNEL32 ref: 00007FFB990EFEAF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB990EFEB5
RaiseException.KERNEL32 ref: 00007FFB990EFEF2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB990EFF07

Strings

CCG , xrefs: 00007FFB990EFEED

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID: CCG
API String ID: 4122134289-1584390748
Opcode ID: f7441c84a6678f3ea4936f78d6106ab053f9af8d469b1ea39c4bf20af513a4ce
Instruction ID: cf10392aa6c15b8fa1bec61960731458e5faa14f37a4a60adb35f933dc9d85bd
Opcode Fuzzy Hash: f7441c84a6678f3ea4936f78d6106ab053f9af8d469b1ea39c4bf20af513a4ce
Instruction Fuzzy Hash: 09316F72A18BC686E7609F24E4403AA7771FBD9788F509226DB8C13765DF79D1A1CB00

Function 00007FFB9904B3F0 Relevance: 10.3, APIs: 8, Instructions: 307COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9904AFC0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9904B0F2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B46A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B511
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B5C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B671
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B721
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B7D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B881
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000008,?,?,?,?,00000000,00007FFB9904C9C0), ref: 00007FFB9904B92D

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a02889e561553ea157a5a03a345de5cd6e001513076a317177940a5da48adae8
Instruction ID: a8bf2f89aae0bb0c23c8ce8fe2735b3892d80b3398be7323634a1669d9da4a17
Opcode Fuzzy Hash: a02889e561553ea157a5a03a345de5cd6e001513076a317177940a5da48adae8
Instruction Fuzzy Hash: D3E1825291CAC691E6715F39E0013FAA7A0FF95344F159121EECD12A9AEF3DE6C6CB00

Function 00007FFB990A8930 Relevance: 9.2, APIs: 6, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB99095D70: GetFileInformationByHandleEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFB990A8A42), ref: 00007FFB99095DD3

CreateFileMappingA.KERNEL32 ref: 00007FFB990A8B26
MapViewOfFile.KERNEL32 ref: 00007FFB990A8B46
CloseHandle.KERNEL32 ref: 00007FFB990A8B51
CloseHandle.KERNEL32 ref: 00007FFB990A8B7A
GetLastError.KERNEL32 ref: 00007FFB990A8B81
CloseHandle.KERNEL32 ref: 00007FFB990A8B90

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Handle$CloseFile$CreateErrorInformationLastMappingView
String ID:
API String ID: 2964106993-0
Opcode ID: 59f6d28cb9eff2efd9aa7f8cbaf80cac8ec03e00fa82fb82abe355b06160ade3
Instruction ID: b1cbf40e6a7c435a4e8f4102084ff2b5ba075f400f7f36b195c3832f0c9bed4e
Opcode Fuzzy Hash: 59f6d28cb9eff2efd9aa7f8cbaf80cac8ec03e00fa82fb82abe355b06160ade3
Instruction Fuzzy Hash: 2C61BEB2B1A75285FBB8DF62E4493AD27A0BB45B84F598039DE6C07B85DF3CD0428740

Function 00007FFB99045040 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFB990473E9
TlsGetValue.KERNEL32 ref: 00007FFB9904743F
TlsSetValue.KERNEL32 ref: 00007FFB9904744F
TlsGetValue.KERNEL32 ref: 00007FFB99047480

Strings

SomeBroadcastContext, xrefs: 00007FFB990474D4
None, xrefs: 00007FFB990474F4

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Value
String ID: None$SomeBroadcastContext
API String ID: 3702945584-174103366
Opcode ID: 6d928adf873051dbf801eeef9e6ebbcaabe82b64e8f70111deb873f171dda760
Instruction ID: 85fd47e8c9d2108b1991ba775adf2cf9fefcc56e5381c799765f835b852024de
Opcode Fuzzy Hash: 6d928adf873051dbf801eeef9e6ebbcaabe82b64e8f70111deb873f171dda760
Instruction Fuzzy Hash: EA31C3A1F0A26352FBB59F39D4003BD2B95AF85B80F484435CFAD47782EE2CE8458380

Function 00007FFB99047070 Relevance: 8.9, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFB990472D9
TlsGetValue.KERNEL32 ref: 00007FFB99047340
TlsSetValue.KERNEL32 ref: 00007FFB99047350
TlsGetValue.KERNEL32 ref: 00007FFB990473A7
TlsGetValue.KERNEL32 ref: 00007FFB990473E9
TlsGetValue.KERNEL32 ref: 00007FFB9904743F
TlsSetValue.KERNEL32 ref: 00007FFB9904744F

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2b1b165d566399e075e40cc15f4da751a8b31a647fc9875ee39daf97d25330b8
Instruction ID: 88a8a88f349bda249b52fd261b4e3ffcb142a37e369551c02af4542109c5972e
Opcode Fuzzy Hash: 2b1b165d566399e075e40cc15f4da751a8b31a647fc9875ee39daf97d25330b8
Instruction Fuzzy Hash: 0F41A2A1B0A65741FAF56F36C5043BD6796AF84B80F588435DEAC073C2EE2DE8425780

Function 00007FFB99012A90 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9909D090: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFB9909D244

Part of subcall function 00007FFB9909D090: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?), ref: 00007FFB9909D0EE

CloseHandle.KERNEL32 ref: 00007FFB99012CFF
CloseHandle.KERNEL32 ref: 00007FFB99012D1D
CloseHandle.KERNEL32 ref: 00007FFB99012D3B

Strings

a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 00007FFB99012DBC
taskkill.exe/PID/FUnable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs, xrefs: 00007FFB99012AAB

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$memcpy
String ID: a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs$taskkill.exe/PID/FUnable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.1\src\windows\process.rs
API String ID: 2397262393-2446203462
Opcode ID: 7b7f5add01740111e04b420036e22f845c9a544211ef10a65f11276e7dc3752c
Instruction ID: 5ee7227eb6737ca4b2583e43fca3984f9f1d182b3db3c4b24d8344dcd1549a9a
Opcode Fuzzy Hash: 7b7f5add01740111e04b420036e22f845c9a544211ef10a65f11276e7dc3752c
Instruction Fuzzy Hash: 16817FB2A0C69381FAB09F25E0403BAA761FB85BC4F548431DA9D47B99DF2DE545CB40

Function 00007FFB99067250 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990676DE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99067715

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FFB99067617, 00007FFB99067A13
assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FFB99067202
assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FFB99067FE3

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY$assertion failed: old_left_len + count <= CAPACITY
API String ID: 3510742995-3535459961
Opcode ID: ec31e2d2f2d238cb682712fc6711d5b6d7bf013a2ad97fdad6d88c0750e46674
Instruction ID: e009103936753179d9f0fe24c0fa474bf12d9f7ebd885a386a70b9ffb67ede32
Opcode Fuzzy Hash: ec31e2d2f2d238cb682712fc6711d5b6d7bf013a2ad97fdad6d88c0750e46674
Instruction Fuzzy Hash: 7B916B72A04BD695E7618F39D8403F933A8FB58B88F548226DE9C17759EF39D296C300

Function 00007FFB9900A820 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

NetGroupEnum.NETAPI32 ref: 00007FFB9900A8E6
NetGroupGetInfo.NETAPI32 ref: 00007FFB9900A94B
NetApiBufferFree.NETAPI32 ref: 00007FFB9900AA5E

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Group$BufferEnumFreeInfo
String ID:
API String ID: 1408970584-0
Opcode ID: f535396f361f033fcce0411874c04eff62e223ab21637c311a4ac9a64a1c0193
Instruction ID: 2f190bf587ba2a6202e9bcb3f20a7ddd5a33f5df1d7a55a0b5c5c51165a1ab8e
Opcode Fuzzy Hash: f535396f361f033fcce0411874c04eff62e223ab21637c311a4ac9a64a1c0193
Instruction Fuzzy Hash: 0561A0B3B09A4285FAA08F21E0553AAB7A0FB86B94F544432EF9D47794DF3DD441CB40

Function 00007FFB9909C910 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,?,00000000,?,00007FFB9905A554,?,00000000,?,00007FFB9909C5FA), ref: 00007FFB9909C951
GetLastError.KERNEL32(?,?,00000000,?,00007FFB9905A554,?,00000000,?,00007FFB9909C5FA), ref: 00007FFB9909C96E
GetLastError.KERNEL32(?,?,00000000,?,00007FFB9905A554,?,00000000,?,00007FFB9909C5FA), ref: 00007FFB9909C9CC
CompareStringOrdinal.KERNEL32 ref: 00007FFB9909CA39
GetLastError.KERNEL32 ref: 00007FFB9909CA4E

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$CompareOrdinalOverlappedResultString
String ID:
API String ID: 1037094402-0
Opcode ID: 1cf5f00d355b873c883229a0c6ee4e22e118a48df04c41a706570ea8908b121b
Instruction ID: f7a371b18edcad62162cd08941db48c77ba5196a5c26c4e5a8a2113fb78909bb
Opcode Fuzzy Hash: 1cf5f00d355b873c883229a0c6ee4e22e118a48df04c41a706570ea8908b121b
Instruction Fuzzy Hash: 42416AA2E09B628AE7A09F65D4043BC27A0FB49B88F548531DE9D47796DF3DE581C300

Function 00007FFB990163E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FFB990165D4
RegCloseKey.ADVAPI32 ref: 00007FFB9901673B

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 00007FFB990163FC

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseQueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
API String ID: 3356406503-1421764643
Opcode ID: b588b0cde5a49fd7dc7e149ecc75e68b2c8835f15c7b88b7da5c6959cc8e6800
Instruction ID: 5fe1acab85aa856317bec2e53e1c81c267ba82db92cb5490af93eff34ff19984
Opcode Fuzzy Hash: b588b0cde5a49fd7dc7e149ecc75e68b2c8835f15c7b88b7da5c6959cc8e6800
Instruction Fuzzy Hash: 22B182B2619B4281EBB09F21E8403AAB7A0FB85BD4F549135EADD47B99DF3DD045CB00

Function 00007FFB99015A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFB99015BFD
RegQueryValueExW.ADVAPI32 ref: 00007FFB99015C97
RegCloseKey.ADVAPI32 ref: 00007FFB99015CDB

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 00007FFB99015B5E

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
API String ID: 3677997916-1421764643
Opcode ID: bbd7c08a1900d0b7843992360e1c46343e0f48297b867da653f781d5e8ba3327
Instruction ID: 118214d235b6e437a4a852f7bdf0c0db11caa1b6e4c03b6d633768e5685595a0
Opcode Fuzzy Hash: bbd7c08a1900d0b7843992360e1c46343e0f48297b867da653f781d5e8ba3327
Instruction Fuzzy Hash: DE8155B261DB8285EBB08F25E4443AAB7A5FB847C0F509035EA9D47BA9DF7DD144CB00

Function 00007FFB990A7920 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFB990ADBD5,?,?,?), ref: 00007FFB990A7963
InitOnceComplete.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFB990ADBD5,?,?,?), ref: 00007FFB990A79AE

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FFB990A7B68
assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FFB990A7B50

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: AllocCompleteInitOnce
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 622421136-3544120690
Opcode ID: eb1f3e42467e61f710f7c07e960d639c2e60f659cf9bf10163ae456fe855a410
Instruction ID: a7e022cc8efcac2d14b5aeedb917ba10c4b2717d7e5ce7eb3306514d2fd8b267
Opcode Fuzzy Hash: eb1f3e42467e61f710f7c07e960d639c2e60f659cf9bf10163ae456fe855a410
Instruction Fuzzy Hash: 0771EDB2E196939AE7A4CF39E4043AC37A4FB44758F65813ADA5C43691DF38E981C380

Function 00007FFB99001390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FFB990013B9
SysFreeString.OLEAUT32 ref: 00007FFB99001464
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFB9901BF9E), ref: 00007FFB9900151B

Strings

root\WMI, xrefs: 00007FFB990013B2

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: String$AllocFreeUninitialize
String ID: root\WMI
API String ID: 3290083200-2712063579
Opcode ID: 98c0269dfcd0378be498eda70be19ca3c844e572e12d16cecb35d9e0ee934403
Instruction ID: 9b588d701919ab9a84708992d52191cfcf0a7376e36d598d8bfbc331b1fe0ad6
Opcode Fuzzy Hash: 98c0269dfcd0378be498eda70be19ca3c844e572e12d16cecb35d9e0ee934403
Instruction Fuzzy Hash: F8413C72508B8292FAB19F21F4513AAB7A0FB86394F444035EBDD46BA6DF7CE185C740

Function 00007FFB98FFCC60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

PdhCloseQuery.PDH ref: 00007FFB98FFCCAF
PdhRemoveCounter.PDH ref: 00007FFB98FFCDCD

Strings

\System\Cpu Queue Length, xrefs: 00007FFB98FFCC92
LoadUpdateEvent, xrefs: 00007FFB98FFCCCB

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseCounterQueryRemove
String ID: LoadUpdateEvent$\System\Cpu Queue Length
API String ID: 2370987109-2417354242
Opcode ID: 647fd8146301dadc266ba3f194bac3f57832ee19224204e46d22680d94dfee08
Instruction ID: a467dbe5750730ce04b4b9c2284b6cd0115249a249e37cc3354c62e201f38830
Opcode Fuzzy Hash: 647fd8146301dadc266ba3f194bac3f57832ee19224204e46d22680d94dfee08
Instruction Fuzzy Hash: 034181B290C69342E6B0DF71E4503AEA7A0EF84390F905131E7AE86AD6DF7CD0458B44

Function 00007FFB98FFAD20 Relevance: 6.6, APIs: 5, Instructions: 381COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FFAE49
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFAE59
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FFAF76
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFAF86
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FFAFF7

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: a00c8f0ca6024f96ada60d7045ffeefa70fc244fcdb3035eea65725a3636ee6f
Instruction ID: a6e7b6938ff65e18a9574c78acb39341c43bf64f0727d8eb0068be191d8a6877
Opcode Fuzzy Hash: a00c8f0ca6024f96ada60d7045ffeefa70fc244fcdb3035eea65725a3636ee6f
Instruction Fuzzy Hash: 9B02C0A260C2C18AE7758735E0183AFBF91E7127A8F885264D7FA0A3C7CB7DE1058755

Function 00007FFB9908BF00 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

exe\\.\NULexit code: , xrefs: 00007FFB9908C168
.Components, xrefs: 00007FFB9908C10F, 00007FFB9908C23F
assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FFB9908C055, 00007FFB9908C1BA

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID:
String ID: .Components$assertion failed: is_code_point_boundary(self, new_len)$exe\\.\NULexit code:
API String ID: 0-953524122
Opcode ID: 4bf10cf74353f0c97a8e8baba906ba07b86fdc5e05112f3ed4619756ac11ecf1
Instruction ID: 6de9452d63790a8c23cde56d4476a5992e6fffd71e4330fa9e7b34b3ef707233
Opcode Fuzzy Hash: 4bf10cf74353f0c97a8e8baba906ba07b86fdc5e05112f3ed4619756ac11ecf1
Instruction Fuzzy Hash: F5B1D0A1F09A6385FFB48FB2D8403B926A5AF05BD8F548435DE2D57785EE3EE5418300

Function 00007FFB9901A330 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9901A418
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9901A6D6

Strings

internal error: entered unreachable codeC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FFB9901A4A3, 00007FFB9901A5E3, 00007FFB9901A762
cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 00007FFB9901A4DE

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs$internal error: entered unreachable codeC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 3510742995-1353005617
Opcode ID: a36f195349272817425be8c32bb199ee20960e7abfcb82e78716dc043bb37a84
Instruction ID: 6af00787f3e4a34e7dea18111da4e77dccc7cd2748dab97abbd1f9a36b0eadfb
Opcode Fuzzy Hash: a36f195349272817425be8c32bb199ee20960e7abfcb82e78716dc043bb37a84
Instruction Fuzzy Hash: E7B13C6290CBC691E6B29F28E4413EAB3A4FF99744F449121DFDC02656EF3CE699C701

Function 00007FFB98FF1010 Relevance: 6.2, APIs: 4, Instructions: 213sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFB98FF105D
_execute_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB98FF108D

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Sleep_execute_onexit_table
String ID:
API String ID: 1009545205-0
Opcode ID: df51d5d6e1c4c7b57b81fbf63dc057098b287d072b406a62ff6c2fe88d321c12
Instruction ID: 0b0ef808478c001f5b01a998745a173fc22ef8eed565ae7ffafec55cc3e9d59a
Opcode Fuzzy Hash: df51d5d6e1c4c7b57b81fbf63dc057098b287d072b406a62ff6c2fe88d321c12
Instruction Fuzzy Hash: 2C71B1B1E0825345F7B69F77E94077A62A4BF45BC0FA45831DE0C87791EE3CE9829218

Function 00007FFB98FF9660 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB98FF9791

Strings

attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs, xrefs: 00007FFB98FF96E6

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs
API String ID: 3510742995-1099963043
Opcode ID: 134ece1675c8e8e29816a76501063112e23bf949911f785582f2ed68d226f113
Instruction ID: d9121028996952c374552619a7e89d0146b8d2b56fb393f4ef40eea6ceea46e4
Opcode Fuzzy Hash: 134ece1675c8e8e29816a76501063112e23bf949911f785582f2ed68d226f113
Instruction Fuzzy Hash: F561B5B2B08B8281EA60CB25E4403AAB7A1FB85BD8F949531EE5D43B95DF3CE145C704

Function 00007FFB990799F0 Relevance: 6.1, APIs: 4, Instructions: 83sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFB99079A8B
CloseHandle.KERNEL32 ref: 00007FFB99079A96
CloseHandle.KERNEL32 ref: 00007FFB99079AA6
Sleep.KERNEL32 ref: 00007FFB99079AEF

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ObjectSingleSleepWait
String ID:
API String ID: 2593906732-0
Opcode ID: acc05fc114a6afa6c89adaa132b757eb8ebe26bee863b86785b4313ed65abd39
Instruction ID: ab7ffff0fe8f69a9304d6f8c3a68b821d70fea934876757e5f826a43fc86d723
Opcode Fuzzy Hash: acc05fc114a6afa6c89adaa132b757eb8ebe26bee863b86785b4313ed65abd39
Instruction Fuzzy Hash: 9021F496F0A60312FEB89E75E91637946569F853B0E08D230DE3E867E5DD3DE8018240

Function 00007FFB98FFC950 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFB98FFE2BE
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFB98FFE2FA
TlsGetValue.KERNEL32 ref: 00007FFB98FFE32D
TlsSetValue.KERNEL32 ref: 00007FFB98FFE33D
TlsGetValue.KERNEL32 ref: 00007FFB98FFE377
TlsGetValue.KERNEL32 ref: 00007FFB98FFE3B9
TlsGetValue.KERNEL32 ref: 00007FFB98FFE407
TlsSetValue.KERNEL32 ref: 00007FFB98FFE417
TlsGetValue.KERNEL32 ref: 00007FFB98FFE44C
TlsGetValue.KERNEL32 ref: 00007FFB98FFE489
TlsGetValue.KERNEL32 ref: 00007FFB98FFE4DF
TlsSetValue.KERNEL32 ref: 00007FFB98FFE4EF
TlsGetValue.KERNEL32 ref: 00007FFB98FFE520
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB98FFE577
RtlGetVersion.NTDLL ref: 00007FFB98FFE589

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Value$PrngProcessVersionmemset
String ID:
API String ID: 1585940240-0
Opcode ID: 3c550410f0edefc9c4c64c1c23e2ac0307e71bd014fd8453c883811e3d130fd9
Instruction ID: 9331af453c31f878d6645c874ddfb5f8d7fdcdc43da5054ca38f532522eafecc
Opcode Fuzzy Hash: 3c550410f0edefc9c4c64c1c23e2ac0307e71bd014fd8453c883811e3d130fd9
Instruction Fuzzy Hash: CD2138B1E0969741FA750B39C1057BD5790AF88B80FA9A530EE8C0B7C1DF2DE9828304

Function 00007FFB99001800 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FFB990019EB

Strings

CurrentTemperature, xrefs: 00007FFB990018A8
CriticalTripPoint, xrefs: 00007FFB990019B1

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ClearVariant
String ID: CriticalTripPoint$CurrentTemperature
API String ID: 1473721057-3920528518
Opcode ID: d2ef15b10033a7d13c3b972bbe0cb5b07435e5ecb743a28238452877cbbaac7e
Instruction ID: ca3ad5c115a8cbb00cbcf3aae1b2c251bd1b942872878b60cecde4bb555d3c7d
Opcode Fuzzy Hash: d2ef15b10033a7d13c3b972bbe0cb5b07435e5ecb743a28238452877cbbaac7e
Instruction Fuzzy Hash: 05814472A1CA8286F7F09F39E4513AAA3A0FF86344F544135E69D42A95EF7DE5C4CB00

Function 00007FFB99005010 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

ConvertStringSidToSidW.ADVAPI32 ref: 00007FFB9900507C
LocalFree.KERNEL32 ref: 00007FFB9900509C

Part of subcall function 00007FFB99041330: GetLastError.KERNEL32 ref: 00007FFB99041334

Strings

HDDSSDUnknownnoyesDisk()[FS: ][Type: ][removable: ] mounted on : / B, xrefs: 00007FFB990051BD

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: ConvertErrorFreeLastLocalString
String ID: HDDSSDUnknownnoyesDisk()[FS: ][Type: ][removable: ] mounted on : / B
API String ID: 3685928780-2195794605
Opcode ID: 60a67b539aeef52074a088f9c3334d8b07d403f2b0bfb5e2f0fb73275f70c241
Instruction ID: a5f978bbc320bd7a9142c69856195a1e2d0e162c3664efe94e4dede11164ab55
Opcode Fuzzy Hash: 60a67b539aeef52074a088f9c3334d8b07d403f2b0bfb5e2f0fb73275f70c241
Instruction Fuzzy Hash: F35151B2A1CB8291EAB09F25F4513AAB764FB81784F505031EA9D47A69EF3CD145CB00

Function 00007FFB99005280 Relevance: 5.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990053B6
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB9900540B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990054D0
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB99005619

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 907ed15f83dbd4b7fe5550b04edfb633e21df681a76d593f6c88d92e9cf8fe1b
Instruction ID: ea58342616b916336e21e324ec2b08a091e14cba873b0ff943f8bafd2f745183
Opcode Fuzzy Hash: 907ed15f83dbd4b7fe5550b04edfb633e21df681a76d593f6c88d92e9cf8fe1b
Instruction Fuzzy Hash: 4BA18076A09BD185E6618F26E4143ABBBA4FB89BC4F545026EEDC03765DF3DD181CB00

Function 00007FFB99053120 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFB9905313C
TlsGetValue.KERNEL32 ref: 00007FFB99053311
TlsSetValue.KERNEL32 ref: 00007FFB99053321
TlsGetValue.KERNEL32 ref: 00007FFB9905337E

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92b4f54cbe8f68d83b097886e055e22686cba5b4e921202a88b12db328f1a14d
Instruction ID: 5955d48aab19248266aa58ce9cfb7e895fc0dac07bd3ab7c95000af03ca0797b
Opcode Fuzzy Hash: 92b4f54cbe8f68d83b097886e055e22686cba5b4e921202a88b12db328f1a14d
Instruction Fuzzy Hash: 5D917B61918AC291F7B28B29E0063F9A7A0FF94754F049231EADC03765EF79E5D68740

Function 00007FFB990A2A90 Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A2AC3
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFB990A2ADD
GetStdHandle.KERNEL32 ref: 00007FFB990A2B43
GetLastError.KERNEL32(?,?,?,00080088,?,00080070,00080070,00080060,00007FFB99086BC5), ref: 00007FFB990A2B5B

Memory Dump Source

Source File: 0000000E.00000002.102062619138.00007FFB98FF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFB98FF0000, based on PE: true

Associated: 0000000E.00000002.102062549180.00007FFB98FF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062935640.00007FFB990F2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102062979701.00007FFB990F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063159095.00007FFB991A3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063200271.00007FFB991A4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063242752.00007FFB991A6000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000E.00000002.102063289349.00007FFB991A9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb98ff0000_regsvr32.jbxd

Similarity

API ID: memcpy$ErrorHandleLast
String ID:
API String ID: 3844782297-0
Opcode ID: b4ab4f8a21ef303af1d75352173f6bae9ce8ff443c9bca7ab7fe9f73c1173003
Instruction ID: 6c0d57727b2778f81a4511de8153130a0798eb3b23c46c537c1abf8ee3d6f3ad
Opcode Fuzzy Hash: b4ab4f8a21ef303af1d75352173f6bae9ce8ff443c9bca7ab7fe9f73c1173003
Instruction Fuzzy Hash: E621F3C2B0A5D256FAB99E7ADA047F54A116F56BE0F198230DF7C47BC1D92CD5938300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report i9DKxTZoVd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2c5j33a1.vbs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fbhz142.kbu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg21qxr0.gvo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbu5rg0o.mzv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krorliuz.ovv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1jp1i1k.bm4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn2xafun.1dm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrmt4fbf.meg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2sop4h4.s1y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl01hpbh.by3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpwr3wzs.obh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzs2efoc.gsb.psm1

C:\Users\user\AppData\Local\Temp\is-KU6E7.tmp\i9DKxTZoVd.tmp

C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-LKP6G.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\is-O75JM.tmp\i9DKxTZoVd.tmp

Windows Analysis Report
i9DKxTZoVd.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre